pkg-vulnerabilities
file and reports any known security issues to standard output.
This output contains the name and version of the package, the
type of vulnerability, and an URL for further information for each
vulnerable package.
The following flags are supported:
pkg-vulnerabilities
file.
The key used to sign the file is available from:
ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
In order for this to function correctly the above key must be added to the gpg keyring of the user who runs audit-packages -s and/or download-vulnerability-list -s. In addition to this the gpg binary must be installed on your system. The path to the gpg binary can be set in audit-packages.conf(5).
The requirement for GnuPG may go away in the future when a suitable replacement is implemented.
GPG,
PKGVULNDIR,
and
IGNORE_URLS.
The
download-vulnerability-list
program downloads the
pkg-vulnerabilities
file from
ftp.NetBSD.org
using
ftp(1)
by default.
This vulnerabilities file documents all known security issues in
pkgsrc packages and is kept up-to-date by the
NetBSD
pkgsrc-security team.
The following flags are supported:
pkg-vulnerabilities
file.
In order for this to function correctly you will need to add the
pkgsrc Security Team key to your gpg keyring and trust it.
The key is available from:
ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
In addition to this the gpg binary must be installed on your system.
The path to the gpg binary can be set in
audit-packages.conf(5).
By default
download-vulnerability-list
will download a compressed version of
pkg-vulnerabilities
from ftp.netbsd.org.
The default file downloaded is compressed using
gzip(1).
The compression tool used can set in
audit-packages.conf(5).
Currently only
gzcat(1)
and
bzcat(1)
are supported.
audit-packages
and/or
download-vulnerability-list
need not be run by the root user. They will function as an unpriveleged
user just so long as the user chosen has permmission to write the
downloded
pkg-vulnerabilites
file to the location specified in
audit-packages.conf(5).
Each line lists the package and vulnerable versions, the type of exploit, and an Internet address for further information:
The type of exploit can be any text, although some common types of exploits listed are:
The type
eol
implies that the package is no longer maintained by the software vendor but
is provided by the pkgsrc team for your convenience only.
It may contain any number of the above mentioned vulnerabilities.
Any packages of type eol are not reported by default.
Run
Fle
to also report on eol packages.
By default, the vulnerabilities file is stored in the
PKG_DBDIR
directory.
On a standard installation this will be set to /var/db/pkg.
If you have installed pkgsrc on a supported platform this will be what
ever you specifed when bootstrapping pkgsrc i.e.,
--pkgdbdir <pkgdbdir>.
The path to the
pkg-vulnerabilities
file can be set in
audit-packages.conf(5).
/var/db/pkg/pkg-vulnerabilities/etc/audit-packages.confftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.ascpkg-vulnerabilities
file daily.
audit-packages
can be run via
cron(8)
(or with
NetBSDAp s
/etc/security.local
daily security script).
The download-vulnerability-list command can be forced to use IPv4 with the following setting in /etc/audit-packages.conf:
FETCH_ARGS="-4"
The
download-vulnerability-list
command can be forced to use http to download the
pkg-vulnerabilities
file with the following setting in
/etc/audit-packages.conf:
FETCH_PROTO="http"
The audit-packages and download-vulnerability-list commands were originally implemented and added to NetBSDAp s pkgsrc by Alistair Crooks on September 19, 2000. During April 2007 audit-packages was re-written by Adrian Portelli and support was added for compressed files and checking signatures on downloaded files. The original idea came from Roland Dowdeswell and Bill Sommerfeld.