Subject: Re: Dante; what exactly are security mechanisms of pkgsrc?
To: Ing.,BcA. Ivan Dolezal <firstname.lastname@example.org>
From: Stefan Schumacher <email@example.com>
Date: 07/12/2002 15:48:24
On Fri, 12 Jul 2002, Ing.,BcA. Ivan Dolezal wrote:
> I couldn't find any information on vulnerabilities of older Dante
> versions at securityfocus.com and by searching with google "dante socks
> vulnerability". This doesn't mean necessarily that there are no vulns, I
> just couldn't find them. Reading NEWS file in Dante distribution points
> some bugs that seem to be harmless, but maybe I just don't get the
> point. There is not any word "vulne*" or "explo*" anyway. Is this
> software really that bulletproof? I also couldn't find any mailing list
> like "dante-announcement."
> Could you give me some hint where to check Dante security?
> Is version 1.1.9 considered to be secure? Are all the latter versions
> just some cosmetic improvements?
There is a Dant CERT at http://www.dante.net/security/
> I don't really follow the sentence: "Note that we no longer issue
> advisories for thirdparty software packages (pkgsrc). Instead, an
> automated mechanism to audit installed binary package is provided in
> pkgsrc/security/audit-packages." I have no idea, what is behind "an
> automated mechanism".
There is a pkg called audit-packages, it provides two programs,
download-vulnerability-list which downloads the list and
audit-packages which audits your running system against this list, so
you get an output it compromised pkgs are found.
|Package openssh-220.127.116.11nb2 has a remote-root-shell vulnerability, see
Automated means you can run it by at or crontab
> If a package installed from pkgsrc is not audited as vulnerable, it can
> mean basically two things to me in a world of free software:
> - either it is not known as vulnerable,
> - a vulnerabilities database used for an automated mechanism
> wasn't loaded with the up-to-date data from the right place,
> because nobody/nothing felt commited to do it
Thats right. You can have a look at the Database
and you will see that there are really a lot vulnerabilities listed and a lot
of sources for that vulnerabilities, like FreeBSD, securityfocus.com
cert.org and so on.
All your platform are belong to us!