Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: Ing.,BcA. Ivan Dolezal <>
From: Stefan Schumacher <>
List: tech-security
Date: 07/12/2002 15:48:24
On Fri, 12 Jul 2002, Ing.,BcA. Ivan Dolezal wrote:

> [Dante-specific]
> I couldn't find any information on vulnerabilities of older Dante
> versions at and by searching with google "dante socks
> vulnerability". This doesn't mean necessarily that there are no vulns, I
> just couldn't find them. Reading NEWS file in Dante distribution points
> some bugs that seem to be harmless, but maybe I just don't get the
> point. There is not any word "vulne*" or "explo*" anyway. Is this
> software really that bulletproof? I also couldn't find any mailing list
> like "dante-announcement."
> Could you give me some hint where to check Dante security?
> Is version 1.1.9 considered to be secure? Are all the latter versions
> just some cosmetic improvements?

There is a Dant CERT at

> [pkgsrc]
> I don't really follow the sentence: "Note that we no longer issue
> advisories for thirdparty software packages (pkgsrc). Instead, an
> automated mechanism to audit installed binary package is provided in
> pkgsrc/security/audit-packages." I have no idea, what is behind "an
> automated mechanism".

There is a pkg called audit-packages, it provides two programs,
download-vulnerability-list which downloads the list and
audit-packages which audits your running system against this list, so
you get an output it compromised pkgs are found.

|$ audit-packages
|Package openssh- has a remote-root-shell vulnerability, see

Automated means you can run it by at or crontab

> If a package installed from pkgsrc is not audited as vulnerable, it can
> mean basically two things to me in a world of free software:
> - either it is not known as vulnerable,
> or
> - a vulnerabilities database used for an automated mechanism
>    wasn't loaded with the up-to-date data from the right place,
>    because nobody/nothing felt commited to do it

Thats right. You can have a look at the Database
and you will see that there are really a lot vulnerabilities listed and a lot
of sources for that vulnerabilities, like FreeBSD, and so on.


All your platform are belong to us!