Subject: Re: Not really an advocacy :-(
To: Ing.,BcA. Ivan Dolezal <ivan.dolezal@vsb.cz>
From: Alistair Crooks <agc@wasabisystems.com>
List: netbsd-advocacy
Date: 06/21/2002 18:14:12
On Fri, Jun 21, 2002 at 05:09:04PM +0200, Ing.,BcA. Ivan Dolezal wrote:
> 
> Hello.
> 
> Question # 1 :
> 
> 
> June 17, 2002
> 
> - Internet Security Systems Security Advisory: Remote Compromise
>   Vulnerability in Apache HTTP Server
> - Apache Security Bulletin
> - CERT Advisory
> 
> June 18, 2002
> 
> - updated Apache Security Bulletin
> 
> 
> June 19, 2002
> 
> - FBI's National Infrastructure Protection Center Advisory
> - Linux Weekly News report
> - Apache releases 1.3.26
> - Debian, Red Hat Linux release their packages (for free)
> - "Package apache-1.3.24 has a remote-root-shell vulnerability"
>   message from audit-packages
> 
> June 20, 2002
> 
> - Gobbles aka apache_scalp.c presented
> 
> 
> June 21, 2002
> 
> ...problem still not mentioned at netbsd.org/Security/
> ...problem still not mentioned at
> ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/www/apache/README.html
> (last audit from Jun 6 05:00)
> ...insecure 1.3.24 still available from the package collection
> 
> Unfortunately the same situation with OpenBSD web (the primary target of 
> apache_scalp.c).
> 
> How should I believe to *BSD commitment to security? While BSD is 
> talking about high quality software, Linux people actually did something.
> Am I missing something?

You're missing something - you quoted it above - the message from
audit-packages.

If you go to pkgsrc/security/audit-packages and install it, you can
be notified automatically of any vulnerabilities in packages installed
on your machine.

To quote from its description file:

> The audit-packages tools provide two scripts:
> 
> (1) download-vulnerability-list, an easy way to download a list of
> security vulnerabilities which have been published.  This list is kept
> up to date by the NetBSD security officer.  It is held at the
> well-known URL:
> 
> ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities
> 
> (2) audit-packages, an easy way to audit the current machine, checking
> each vulnerability listed by the security officer.  If a vulnerable
> package is installed, it will be shown by output to stdout.

and from its message file:

> ======================================================================
> $NetBSD: MESSAGE,v 1.1 2001/11/01 01:16:32 zuntum Exp $
> 
> You may wish to have the vulnerabilities file downloaded daily so that
> it remains current.  This may be done by adding an appropriate entry
> to the root users crontab(5) entry.  For example the entry
> 
> # download vulnerabilities file
> 0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1
> 
> will update the vulnerability list every day at 3AM.
> 
> In addition, you may wish to run the package audit from the daily
> security script.  This may be accomplished by adding the following
> lines to /etc/security.local
> 
> if [ -x ${PREFIX}/sbin/audit-packages ]; then
>         ${PREFIX}/sbin/audit-packages
> fi
> 
> ======================================================================

Regards,
Alistair