Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo-stats like service for security warnings
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
itoito
n00b
n00b


Joined: 08 Aug 2002
Posts: 32

PostPosted: Sat Nov 16, 2002 12:38 am    Post subject: Gentoo-stats like service for security warnings Reply with quote

First of all I always keep my systems fully updated, but I had an idea to increase the overall security of the gentoo users:

1. How about a non-anonymous (it's non-anonymous because it has to have your email address) gentoo-stats like server that keeps track of all the installed packages and their versions on your server in a database. As soon as there is an exploitable bug for a package it will scan it's database and send an email to everyone currently working with this package.

2. Maybe it could be done by extending the gentoo-stats clientsoftware and the server a little, there already is a profile in the database, the only thing is the server would have to send you the list of security warnings if there are some and then the client would have to send you a report and takes your email address from a .conf file.

some reasons:

- not everyone updates enough
- some people get lost of track of their servers
- not everyone checks for exploits and thus will not give priority to upgrading a package with secuity bugs.
- perhaps you have upgraded an exploitable package, but some other package still depends on the older version, so the system could still be vulnerable.
- users with an exploitable gentoo machine give the distribution a bad name.

it's about the concept, so ofcourse the implementation could be different.

What do you think?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18471

PostPosted: Sat Nov 16, 2002 5:22 pm    Post subject: Re: Gentoo-stats like service for security warnings Reply with quote

Moved from Networking & Security as this isn't a support question.


itoito wrote:
1. How about a non-anonymous (it's non-anonymous because it has to have your email address) ... will scan it's database and send an email to everyone currently working with this package.
I think too many wouldn't want to have their information stored on someone else's server. Also, I think it should be up to individuals to track security (as opposed to someone else's server doing it).

Quote:
- not everyone updates enough
- some people get lost of track of their servers
- not everyone checks for exploits and thus will not give priority to upgrading a package with secuity bugs.
There is a mailing list that mentions security issues. They should subscribe to it, and update accordingly.

Quote:
- perhaps you have upgraded an exploitable package, but some other package still depends on the older version, so the system could still be vulnerable.
I could be mistaken, but I think this would be addressed in the security announcements.

Quote:
- users with an exploitable gentoo machine give the distribution a bad name.
The user would still be required to do the updates, so not much is gained. Subscribing to the mailing list would have a similar effect.

You might be interested in "emerge security" ??????.
_________________
The media sells it and you live the role.
Back to top
View user's profile Send private message
psharp
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2002
Posts: 76
Location: London, UK

PostPosted: Sun Nov 17, 2002 6:01 pm    Post subject: Reply with quote

I currently use the following to scan my local gentoo-announce archive for packages GLSAs and passes them to emerge. Only updates then if they are installed.

Code:

#!/bin/bash
#Securitymerge 0.01

emerge -n $1 `egrep 'GLSA' ~/Mail/gentoo-announce|sed s/.*GLSA:\ //|cut -d" " -f 1|xargs -iPKG qpkg -I -nc PKG`


Usage: root@ps02P # securitymerge -p
Code:

Calculating Dependancies ...done
[ebuild   U ] x11-base/xfree-4.2.1

etc.


I know this is pretty raw, but it was slapped together as a catchup for several weeks away.

My view is that the orignal idea could probably be done using existing information:

1) grab the gentoo-announce archive
2) search for GLSA
3) check against qpkg -I
4) emerge packages

There are several problems with this, the main one I see is that it simply updates to the latest package, you may already be running a newer version than the bug report is against. I guess this could be taken into account, perhaps by comparing date installed against the GLSA date.

Anyway if anyone is a scripting guru and fancies doing something please do, in the meantime I will continue hacking away but I only started learning scripting in unix last week 8O

Do I get the feeling that this would be easy in Perl, maybe that's what I should learn.....
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum