determining vulnerable FreeBSD system components [Was: cvs
commit: ports/security/portaudit-db/database portaudit.txt
portaudit.xlist portaudit.xml]
Oliver Eikemeier
eikemeier at fillmore-labs.com
Sun Aug 22 13:40:49 PDT 2004
Jacques A. Vidrine wrote:
> I don't think ident information is all that useful, and I *know*
> that it is a PITA to maintain.
Jup, I realized that the cvs binary doesn't contain enough information
to be identifiable with ident(1).
> [...]
> The only practical way to specify affected versions of the system
> is with a patch level as we've done for years. e.g. 4.8-RELEASE-p9
> is unaffected, all those before are not. This is analogous to the
> situation with ports... we use the package version number, not the
> revision numbers of the Makefile and associated ports skeleton files,
> nor the revision numbers of the original source files or anything
> silly like that. We use the administratively maintained package
> number with PORTEPOCH, PORTREVISION and such.
Yup. We should use __FreeBSD_version for -STABLE and -CURRENT, since
this is easy determinable. I now -CURRENT is not supported, but it would
be useful nevertheless. I don't know how to handle release branches
though. Especially when only the affected binary is patched, without
rebooting the system (and possibly bumping __FreeBSD_version). Maybe we
should invent some kind of global registry where the (security) patches
applied are recorded.
-Oliver
More information about the freebsd-vuxml
mailing list