Re: Determining vulnerability to issues described by SAs



Hi Colin,

On Fri, 30 Jun 2006 20:13:44 -0700, Colin Percival wrote:
Dolan- Gavitt, Brendan F. wrote:
I've been trying for the past few days to come up with a method for
checking a FreeBSD system to see if it is vulnerable to an issue
described by a FreeBSD security advisory in some automated way [...]

This is an issue I also have given some thought to.

...

I'm fairly new to FreeBSD, so I may just be missing something
here--is there a reliable way to determine if a system is patched
according to a particular security advisory?

In short, no. If you have any ideas, let me know. :-)

I've been canonically rebuilding my systems for each patch (or at least
every time a vulnerability affects my hosts) to cover this very issue,
even if a rebuild isn't strictly necessary.

In addition to this, however, I usually generate an mtree file from a
pre-production installation so that I can compare any given build with
running systems to identify changes, such as those occurring as a result
of patching - kind of like a base 'tripwire', in fact. Would this be a
solution? Each advisory could come with a custom mtree file that covers
the affected files explicitly and/or another mtree file that covers the
files for this patch _and_ for all previous patches up to that point; you
could name the mtree after the patchlevel eg RELENG_5_3.mtree.p31 - this
should work, regardless of how the patch was applied as the end result is
(almost?) always the same at the binary level.

regards,
-- Joel Hatton --
Infrastructure Manager | Hotline: +61 7 3365 4417
AusCERT - Australia's national CERT | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert@xxxxxxxxxxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • [NT] ActiveSync Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
    (Securiteam)
  • [Full-disclosure] Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Full-Disclosure)
  • Re: MS09-032 Installation
    ... Security Advisory 953839, Microsoft Security Advisory 956391, Microsoft ... Vulnerability - CVE-2008-0015, as does the FixIt some had used before ... be a mistake to "undo" the workaround, ... What would happen if I install this update and then undo the ...
    (microsoft.public.security)
  • Microsoft SQL Server 2005 sp_replwritetovarbin memory overwrite (update to SEC Consult SA-200812
    ... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
    (Bugtraq)
  • WSPortal version 1.0 Path Disclosure Vulnerability
    ... WSPortal version 1.0 Path Disclosure Vulnerability ... WSPortal is a site management system coded in PHP/MySQL. ... There is no official fix at the release of this Security Advisory. ...
    (Bugtraq)