Subject: Re: Not really an advocacy :-(
To: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Alistair Crooks <agc@wasabisystems.com>
List: netbsd-advocacy
Date: 06/21/2002 18:14:12
On Fri, Jun 21, 2002 at 05:09:04PM +0200, Ing.,BcA. Ivan Dolezal wrote:
>
> Hello.
>
> Question # 1 :
>
>
> June 17, 2002
>
> - Internet Security Systems Security Advisory: Remote Compromise
> Vulnerability in Apache HTTP Server
> - Apache Security Bulletin
> - CERT Advisory
>
> June 18, 2002
>
> - updated Apache Security Bulletin
>
>
> June 19, 2002
>
> - FBI's National Infrastructure Protection Center Advisory
> - Linux Weekly News report
> - Apache releases 1.3.26
> - Debian, Red Hat Linux release their packages (for free)
> - "Package apache-1.3.24 has a remote-root-shell vulnerability"
> message from audit-packages
>
> June 20, 2002
>
> - Gobbles aka apache_scalp.c presented
>
>
> June 21, 2002
>
> ...problem still not mentioned at netbsd.org/Security/
> ...problem still not mentioned at
> ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
> (last audit from Jun 6 05:00)
> ...insecure 1.3.24 still available from the package collection
>
> Unfortunately the same situation with OpenBSD web (the primary target of
> apache_scalp.c).
>
> How should I believe to *BSD commitment to security? While BSD is
> talking about high quality software, Linux people actually did something.
> Am I missing something?
You're missing something - you quoted it above - the message from
audit-packages.
If you go to pkgsrc/security/audit-packages and install it, you can
be notified automatically of any vulnerabilities in packages installed
on your machine.
To quote from its description file:
> The audit-packages tools provide two scripts:
>
> (1) download-vulnerability-list, an easy way to download a list of
> security vulnerabilities which have been published. This list is kept
> up to date by the NetBSD security officer. It is held at the
> well-known URL:
>
> ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities
>
> (2) audit-packages, an easy way to audit the current machine, checking
> each vulnerability listed by the security officer. If a vulnerable
> package is installed, it will be shown by output to stdout.
and from its message file:
> ======================================================================
> $NetBSD: MESSAGE,v 1.1 2001/11/01 01:16:32 zuntum Exp $
>
> You may wish to have the vulnerabilities file downloaded daily so that
> it remains current. This may be done by adding an appropriate entry
> to the root users crontab(5) entry. For example the entry
>
> # download vulnerabilities file
> 0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1
>
> will update the vulnerability list every day at 3AM.
>
> In addition, you may wish to run the package audit from the daily
> security script. This may be accomplished by adding the following
> lines to /etc/security.local
>
> if [ -x ${PREFIX}/sbin/audit-packages ]; then
> ${PREFIX}/sbin/audit-packages
> fi
>
> ======================================================================
Regards,
Alistair