[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvas-development
Subject:    Re: [openvas-development] GPL NASL Scripts being pulled off
From:       Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <jfs () computer ! org>
Date:       2005-11-29 12:41:30
Message-ID: 20051129124130.GB1271 () javifsp ! no-ip ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Tue, Nov 29, 2005 at 11:16:09AM +0100, Michel Arboi wrote:
> On 29/11/05, Javier Fernández-Sanguino Peña <jfs@computer.org> wrote:
> > I'm surprised to hear that, what information you feel is missing?
> 
> The main problem comes from  the way the Debian branches are handled.
> Reading /etc/debian-release is not reliable. I tried to fix this by
> extracting the "branch" from the package name, but it does not appear
> until it is patched (and even then, it does not always appear)
> And also, the mere concept of "Cid" is a pain in the back.

The branch does not even need to exist. The proper way to check for updates
is to check if your package version A is lower than package version B (B
being the update). Testing/unstable (aka as 'sid') should not be tested vs.
data from DSAs, unless the DSA provides a sid package version that fixes the
issue. 

From my POV it's actually simple:

- extract the Debian version from the DSA for stable (B)
- extract the Debian version from the DSA for sid (C)
[optionally]
- extract the Debian version from the DSA for sid (X)

* If you don't have the package installed, skip.

* Take version number from package (A)

* If you are running:
    - stable, is A < B => WARN
    - sid or testing, is A < C => WARN
    [optionally]
    - oldstable, is A < X => WARN

If you don't have C then there is no sense trying to apply the test to
testing or sid since, presumably, A > B will always be true. This is just why
it does not make sense to apply that to old-stable since, presumably, A < X <
B (so  A=X < B does not imply that the system is vulnerable )

The bad side is that testing or sid don't always get referenced in advisories
as they are *unsupported* development trees. The good side is that testing is
starting to gather it's own security team that provides additional advisories
(See http://secure-testing-master.debian.net/, and, more especifically, at
http://secure-testing-master.debian.net/list.html). 

There might be a way to get an additional version from the DTSa (say, D) 
that could be useful, in absence of C, to test when comparing vs. A. So you
could change 
    - sid or testing, is A < C =>  WARN
to
    - sid or testing, is ( defined(C) && A < C ) || (defined(D) && A < D ) 
    	=>  WARN


I agree that there is no simple way to tell sid and testing apart (and I've
bugged people to make this easier) but it's also important to understand that
they are unsupported releases. So complaining about them is just as similar
as complaining that there can be no local checks for Solaris 11 .

Regards

Javier

["signature.asc" (application/pgp-signature)]

_______________________________________________
openvas-development mailing list
openvas-development@openvas.org
http://www.nth-dimension.org.uk/mailman/listinfo.cgi/openvas-development


[prev in list] [next in list] [prev in thread] [next in thread]