Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Daniel A. Avelino" <daavelino@...>
Subject: Re: No GLSA since January?!?
Date: Fri, 26 Aug 2011 16:27:03 -0300
Alex. <br><br>For WEB vulnerability discovering, one of the most important to us is Nessus to <br>search and confronting against CVE database. Sometimes, Nessus find some <br>vulnerable packages in our Gentoo boxes and when we go to emerge -UDN this,<br>
there is not the updated version even when the fixes are available [in other distros <br>for example]. <br><br>The Core Impact <br><br><a href="http://www.coresecurity.com/">http://www.coresecurity.com/</a><br><br>do a great job too but we only tested the demo version. [That is great too].<br>
<br>There is other interesting tool [not really WEB related but...] the Secunia PSI<br><br><a href="http://secunia.com/vulnerability_scanning/online/">http://secunia.com/vulnerability_scanning/online/</a><br><br>that do a great job in search unupdated packages but Windows only.<br>
<br>Reading your last answer, I had the impression we are talking about different things but I think<br>I can connect them. My apologies to speculate without read the complete team work documentation <br>but even if issue correction is not our job as you said, I think we could pressure package maintainers <br>
to update its packages since we (in thesis) have more visibility about packages vulnerabilities that can be fixed but <br>aren&#39;t fixed yet. This could be impact even in GLSA&#39;s update for example. <br><br>So, if we have a automatic mechanism that searchs into vulnerabilities databases - CVE - for example and find what <br>
packages have issues that was already fixed, we could, for example, label packages <br>with some flag that tells users and developers that this package needs review to fix some vulnerability.<br><br>I thought this is an interesting point to discuss because this could in principle force updates to be more <br>
fast and more Bugzilla-free. I have nothing against Bugzilla but the process as a whole takes too much time <br>and we could in principle search vulnerabilities databases and provide developers and users with informations <br>
about how their systems security are.<br><br>Thanks again.<br><br>Daniel<br><br><div class="gmail_quote">On Fri, Aug 26, 2011 at 3:44 PM, Alex Legler <span dir="ltr">&lt;<a href="mailto:a3li@g.o">a3li@g.o</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Friday 26 August 2011 15:22:40 Daniel A. Avelino wrote:<br>
&gt; &gt; When I think about automation, I had in mind something that could help<br>
&gt;<br>
&gt; developers to find<br>
&gt; vulnerabilities in a more fast way [searching and confronting CVE, for<br>
&gt; example] and  start a<br>
&gt; &quot;call for solution&quot; process. I work with solutions of this type for WEB<br>
&gt; vulnerabilities discover<br>
&gt; and some tools are very interesting to reduce the correction time.<br>
&gt;<br>
<br>
</div>We already use CVE as one of our sources of vulnerability intelligence.<br>
Finding issues is also not the real issue here.<br>
Also, actual issue correction is not our job, it&#39;s the responsibility of the<br>
package maintainer.<br>
<br>
Can you share details about the utilities you are using?<br>
<br>
Alex<br>
<br>
--<br>
<div class="im">Alex Legler &lt;<a href="mailto:a3li@g.o">a3li@g.o</a>&gt;<br>
</div>Gentoo Security / Ruby</blockquote></div><br>
References:
No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Alex Legler
Re: No GLSA since January?!?
-- Daniel A. Avelino
Re: No GLSA since January?!?
-- Alex Legler
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: No GLSA since January?!?
Next by thread:
Re: No GLSA since January?!?
Previous by date:
Re: No GLSA since January?!?
Next by date:
Re: No GLSA since January?!?


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.