Solved No more FreeBSD security advisories (SA) in vuln.xml?

G

getopt

I used to check FreeBSD Security advisories like this:

Code: 
> vxquery /var/db/pkg/vuln.xml FreeBSD-11.0 | grep 'SA-1[67]'
    freebsdsa:SA-17:01.openssh
    freebsdsa:SA-16:39.ntp
    freebsdsa:SA-16:38.bhyve
    freebsdsa:SA-16:37.libc
    freebsdsa:SA-16:36.telnetd
    freebsdsa:SA-16:33.openssh
    freebsdsa:SA-16:31.libarchive
    freebsdsa:SA-16:30.portsnap
    freebsdsa:SA-16:29.bspatch
    freebsdsa:SA-16:27.openssl

According https://www.freebsd.org/security/advisories.html
Date Advisory name
2017-04-27 FreeBSD-SA-17:04.ipfilter
2017-04-12 FreeBSD-SA-17:03.ntp
2017-02-23 FreeBSD-SA-17:02.openssl
2017-01-11 FreeBSD-SA-17:01.openssh
Click to expand...

the January entry was the last one published in vuln.xml making scripts based on this useless.

Anyone with valid infos on this?
 
cpm@ I'm not sure what you are trying to tell me. I was talking about the FreeBSD src base not ports. So I like to elaborate on my problem.

I was tired to surf manually to https://www.freebsd.org/security/advisories.html for daily checking events there. So I wrote a script that parsed new entries there. This worked some time ago, but deteriorated as entries there did not occur in a timely manner. After that I looked for an alternative and found SAs in vuln.xml that is kept up to date here anyway. This worked better for some time until I discovered that even that these lists may be days behind the latest revision.

Now looking for a pragmatic scriptable solution that at least indicates the availability of SAs this might be suitable: svn diff /usr/src/UPDATING -r HEAD
 
While it doesn't directly solve your issue with scripting a search for security issues, I'd like to point out FreeBSD has a security issues mailing list. That way you don't need to run a script every day to check for issues, they will simply be e-mailed to you as they are reported.
 
getopt said:
If you would ask me if this is an complaint about publishing FreeBSD security advisories in a timely manner then I'd say you can take it as such.
Click to expand...

This information is published in four different places by two different methods; you insist on looking in a fifth place using a third method. The only way that makes any sense at all is if you've got some specific need and purpose that can only be fulfilled using this one method to get information from this one place, and if that's the case, you haven't told us about it.
 
That just tells us what you want to do, not why you want to do it when perfectly good solutions already exist. You want to script a solution. What problem does this script solve? You are "interested in automation." What are you trying to automate? You claim the information source you're looking at is "not reliable for my purpose." What is your exact purpose, and why insist on continuing to use an unreliable source when a reliable one exists? If subscribing to a mailing list or news feed means automatically getting notifications and never having to think about this again, why would you insist on not subscribing? If the only reason for this exercise is your own learning, why should the developers/security team go through the extra effort for it?

What are you really trying to do and, perhaps more importantly, why are you trying to do it?
 
NewGuy said:
While it doesn't directly solve your issue with scripting a search for security issues, I'd like to point out FreeBSD has a security issues mailing list.
Click to expand...
getopt said:
This is known. As you noticed I'm interested in automation.
Click to expand...
Is it an option to subscribe to the mailing list and use mail/procmail or similar to copy the relevent mail so some location? A different script could check that location and do actions according to your requirements automatically.
 
You must log in or register to reply here.
Back
Top