Gentoo Archives: gentoo-security

From: "Daniel A. Avelino" <daavelino@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 19:28:34
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Alex Legler

For WEB vulnerability discovering, one of the most important to us is Nessus
search and confronting against CVE database. Sometimes, Nessus find some
vulnerable packages in our Gentoo boxes and when we go to emerge -UDN this,
there is not the updated version even when the fixes are available [in other
for example].

The Core Impact

do a great job too but we only tested the demo version. [That is great too].

There is other interesting tool [not really WEB related but...] the Secunia

that do a great job in search unupdated packages but Windows only.

Reading your last answer, I had the impression we are talking about
different things but I think
I can connect them. My apologies to speculate without read the complete team
work documentation
but even if issue correction is not our job as you said, I think we could
pressure package maintainers
to update its packages since we (in thesis) have more visibility about
packages vulnerabilities that can be fixed but
aren't fixed yet. This could be impact even in GLSA's update for example.

So, if we have a automatic mechanism that searchs into vulnerabilities
databases - CVE - for example and find what
packages have issues that was already fixed, we could, for example, label
with some flag that tells users and developers that this package needs
review to fix some vulnerability.

I thought this is an interesting point to discuss because this could in
principle force updates to be more
fast and more Bugzilla-free. I have nothing against Bugzilla but the process
as a whole takes too much time
and we could in principle search vulnerabilities databases and provide
developers and users with informations
about how their systems security are.

Thanks again.


On Fri, Aug 26, 2011 at 3:44 PM, Alex Legler <a3li@g.o> wrote:

> On Friday 26 August 2011 15:22:40 Daniel A. Avelino wrote: > > > When I think about automation, I had in mind something that could help > > > > developers to find > > vulnerabilities in a more fast way [searching and confronting CVE, for > > example] and start a > > "call for solution" process. I work with solutions of this type for WEB > > vulnerabilities discover > > and some tools are very interesting to reduce the correction time. > > > > We already use CVE as one of our sources of vulnerability intelligence. > Finding issues is also not the real issue here. > Also, actual issue correction is not our job, it's the responsibility of > the > package maintainer. > > Can you share details about the utilities you are using? > > Alex > > -- > Alex Legler <a3li@g.o> > Gentoo Security / Ruby