Commit graph

52 commits

Author SHA1 Message Date
Simon L. B. Nielsen
09e8089e23 Portaudit 0.6.0:
Fix remote code execution which can occur with a specially crafted
audit file.  The attacker would need to get the portaudit(1) to
download the bad audit database, e.g. by performing a man in the
middle attack.

Add signature verification of the portaudit database.  The public key
is for the database generated for portaudit.FreeBSD.org is included
in the distribution.

(This parts add the portaudit public key missed in initial commit.)

Submitted by:   Michael Gmelin <freebsd@grem.de>
Reported by:    Michael Gmelin <freebsd@grem.de>, Joerg Scheinert
Security:       Remote code execution
Security:       http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Feature safe:   yes
With hat:       so
2012-03-11 22:05:39 +00:00
Simon L. B. Nielsen
23dc1240c1 Portaudit 0.6.0:
Fix remote code execution which can occur with a specially crafted
audit file.  The attacker would need to get the portaudit(1) to
download the bad audit database, e.g. by performing a man in the
middle attack.

Add signature verification of the portaudit database.  The public key
is for the database generated for portaudit.FreeBSD.org is included
in the distribution.

Submitted by:	Michael Gmelin <freebsd@grem.de>
Reported by:	Michael Gmelin <freebsd@grem.de>, Joerg Scheinert
Security:	Remote code execution
Security:	http://vuxml.FreeBSD.org/6d329b64-6bbb-11e1-9166-001e4f0fb9b1.html
Feature safe:	yes
With hat:	so
2012-03-11 21:32:58 +00:00
Remko Lodder
dc8cb9de3b Add some improvements via Doug:
This patch changes the order in which the conf file is read vs.
when the default variable assignments are made in order to provide
the ability to override them in the conf file. It also adds the
ability to include a conf file in the same directory as the script.

The patch also changes some of the = assignments to := where
having a null setting by mistake would be fatal.

The use case for these changes is the ability to "package" all
of the elements together in one place for use on multiple systems
that can all mount the same central location.

PR:		154518
Submitted by:	dougb
Hat:		secteam
Feature safe:	yes
2011-02-05 08:37:06 +00:00
Ulrich Spörlein
c390aa29ac Don't enclose URLs in <>, it makes them harder to copy&paste and URLs are
not email addresses.

PR:		ports/127214 (first half)
Reviewed by:	simon
Feature safe:	yes
2011-01-31 20:17:04 +00:00
Xin LI
2fbec0a01f Prefer using base system binaries.
Reported by:	Paul Hoffman <phoffman proper com>
With hat:	secteam
2010-05-03 21:02:20 +00:00
Remko Lodder
aa3d0c2333 Forgot to bump version.
Prodded by:	antoine
2009-10-26 09:17:28 +00:00
Remko Lodder
905e4a1332 Fix unmatched quote.
PR:		ports/139810
Submitted by:	bf <bf1783 at gmail dot com>
2009-10-21 08:30:57 +00:00
Simon L. B. Nielsen
bc09d4bcb0 Download portaudit database from http://portaudit.FreeBSD.org/ instead
of http://www.FreeBSD.org/ports/portaudit/.

This is primarily done to work around bug in lighttpd on www.FreeBSD.org
where If-Modified-Since isn't handled correctly possibly resulting in
users behind web proxies getting an outdated version of the portaudit
database.

Bump portaudit version number.

Big thanks to the reporter for the detailed PR with good information
about reproducing the issue.

PR:		www/134505
Reported by:	Christian Ullrich <chris@chrullrich.net>
Prodding by:	remko, Christian Ullrich
2009-06-21 15:45:18 +00:00
Simon L. B. Nielsen
714fd8f611 - Fix portaudit -Fq to actually be quiet. [1]
- Remove support for FreeBSD older than 4.11 and 5.3.
- Remove conditional dependency on bzip2 which I can't really see how
  could be activated automatically.

Reported by:	"J. Martin Petersen" <jmp@alvorlig.dk> [1]
PR:		ports/117845 [1]
With hat:	maintainer / secteam
2007-12-27 09:54:23 +00:00
Erwin Lansing
2afd8bdced Add security to CATEGORIES
"Sounds like a good idea":	simon
2007-04-02 12:40:31 +00:00
Remko Lodder
4e7c3d05b6 Correct URL to the VuXML pages for FreeBSD. Also bump modification date.
PR:		ports/104813
Submitted by:	Alan Amesbury <amesbury at umn dot edu>
2007-03-15 07:14:35 +00:00
Pav Lucistnik
0d0d56457b Populate a new ports-mgmt category. List of moved ports:
devel/portcheckout -> ports-mgmt/portcheckout
  devel/portlint -> ports-mgmt/portlint
  devel/portmk -> ports-mgmt/portmk
  devel/porttools -> ports-mgmt/porttools
  misc/instant-tinderbox -> ports-mgmt/instant-tinderbox
  misc/porteasy -> ports-mgmt/porteasy
  misc/portell -> ports-mgmt/portell
  misc/portless -> ports-mgmt/portless
  misc/tinderbox -> ports-mgmt/tinderbox
  security/jailaudit -> ports-mgmt/jailaudit
  security/portaudit -> ports-mgmt/portaudit
  security/portaudit-db -> ports-mgmt/portaudit-db
  security/vulnerability-test-port -> ports-mgmt/vulnerability-test-port
  sysutils/barry -> ports-mgmt/barry
  sysutils/bpm -> ports-mgmt/bpm
  sysutils/kports -> ports-mgmt/kports
  sysutils/managepkg -> ports-mgmt/managepkg
  sysutils/newportsversioncheck -> ports-mgmt/newportsversioncheck
  sysutils/pib -> ports-mgmt/pib
  sysutils/pkgfe -> ports-mgmt/pkgfe
  sysutils/pkg-orphan -> ports-mgmt/pkg-orphan
  sysutils/pkg_cutleaves -> ports-mgmt/pkg_cutleaves
  sysutils/pkg_install -> ports-mgmt/pkg_install
  sysutils/pkg_install-devel -> ports-mgmt/pkg_install-devel
  sysutils/pkg_remove -> ports-mgmt/pkg_remove
  sysutils/pkg_rmleaves -> ports-mgmt/pkg_rmleaves
  sysutils/pkg_trackinst -> ports-mgmt/pkg_trackinst
  sysutils/pkg_tree -> ports-mgmt/pkg_tree
  sysutils/portbrowser -> ports-mgmt/portbrowser
  sysutils/portconf -> ports-mgmt/portconf
  sysutils/portdowngrade -> ports-mgmt/portdowngrade
  sysutils/portcheck -> ports-mgmt/portcheck
  sysutils/portmanager -> ports-mgmt/portmanager
  sysutils/portmaster -> ports-mgmt/portmaster
  sysutils/portscout -> ports-mgmt/portscout
  sysutils/portsearch -> ports-mgmt/portsearch
  sysutils/portsman -> ports-mgmt/portsman
  sysutils/portsnap -> ports-mgmt/portsnap
  sysutils/portsopt -> ports-mgmt/portsopt
  sysutils/portupgrade -> ports-mgmt/portupgrade
  sysutils/portupgrade-devel -> ports-mgmt/portupgrade-devel
  sysutils/port-authoring-tools -> ports-mgmt/port-authoring-tools
  sysutils/port-maintenance-tools -> ports-mgmt/port-maintenance-tools
  sysutils/psearch -> ports-mgmt/psearch
  sysutils/p5-FreeBSD-Portindex -> ports-mgmt/p5-FreeBSD-Portindex
  sysutils/qtpkg -> ports-mgmt/qtpkg
  textproc/p5-FreeBSD-Ports -> ports-mgmt/p5-FreeBSD-Ports

Repocopies by:	marcus
2007-02-05 01:08:46 +00:00
Simon L. B. Nielsen
75654bee2f Avoid unnecessary invocations of pkg_info by checking whether the
package is installed or not using a precalculated regex.

This speeds up "portaudit -a" with around a factor of 10.

The change is slightly modified from the one from the PR by using
pkg_info -aE instead of ls /var/db/pkg for determining installed
packages.

Submitted by:	Kuang-che Wu <kcwu@csie.org>
PR:		ports/92942
2006-04-16 13:32:28 +00:00
Edwin Groothuis
508b8d82f4 Replace ugly "@unexec rmdir %D... 2>/dev/null || true" with @dirrmtry
Approved by:    krion@
PR:             ports/88711 (related)
2006-01-22 03:01:03 +00:00
Simon L. B. Nielsen
8c91f8349c Change MAINTAINER address for ports maintained by the Security Team to
secteam@ instead of security@ to make it more clear that the ports are
not maintained by the freebsd-security@ mailing list.  Both addresses
go to the same people.
2005-07-30 19:13:10 +00:00
Simon L. B. Nielsen
9e1a5a3459 portaudit 0.5.10:
- Unbreak portaudit -vF.
- Sync usage with reality.
- Document the q, v, and V options.
- Markup fixes for the portaudit(1) manual page.
- Make quiet mode output even less "redundant" text [1].
- Set maintainership to security@. [2]

Suggested by:	Phil Kernick philk at rotfl dot com dot au [1]
Suggested by:	nectar, remko [2]
2005-07-03 20:31:00 +00:00
Simon L. B. Nielsen
de9b30b80a Grab maintainer-ship of portaudit. While I do not currently have any
plans for improvements (though I have ideas) I feel that portaudit is
too important to not have an active maintainer.

Approved by:	portmgr (linimon)
2005-06-14 22:04:55 +00:00
Christian Brueffer
488bd7efe4 Typo-fix in a comment
Approved by:	portmgr (krion)
2004-09-09 13:15:25 +00:00
Oliver Eikemeier
e8a6142888 - update to version 0.5.9
(first attempts to check the base system for vulnerabilities)
2004-09-03 20:30:54 +00:00
Oliver Eikemeier
b88b1935d9 fix "too many open files" error when using the -r flag
Noted by:	nectar
2004-08-23 17:39:12 +00:00
Oliver Eikemeier
01977fcaea Don't check the base system when PACKAGE_BUILDING 2004-08-16 02:24:06 +00:00
Oliver Eikemeier
153f0ae562 Remove -a from the default fetch(1) flags, so that the daily security
report is not delayed when the distribution site is down.

Submitted by:	kuriyama
2004-08-15 12:26:16 +00:00
Oliver Eikemeier
40f8b91153 fix man page nits,
modify the vulnerability report depending on -q/-v (experimental)

PR:		69935, 68942
Submitted by:	Chris Pepper <pepper@reppep.com>, Johan Karlsson <k@numeri.campus.luth.se>
2004-08-13 17:07:05 +00:00
Oliver Eikemeier
5e008424e7 New option -r: restrict listed entries to selected references.
Useful for testing new entries.
2004-07-24 13:34:52 +00:00
Oliver Eikemeier
76de274928 check for a working tr(1). 2004-07-13 19:36:15 +00:00
Oliver Eikemeier
580eeeff30 Test OSVERSION instead of pkg_info -P to enable cross-version builds
Requested by:	kris
2004-07-02 00:31:18 +00:00
Oliver Eikemeier
2e23771c68 - update to version 0.5
*** NOTE ***

The preferences file format has changed, as have the periodic.conf(5) names.
Normally the default settings should be adequate, except when you need to
configure a proxy. Use $PREFIX/etc/portaudit.conf.sample as an example.

- moved portaudit to sbin
- clean up, merging stuff into the portaudit script
- better return codes and errors to stderr
- -f can check stdin now
- dropped ports tree auditing
- merged the periodic(8) scripts into one
- run daily auditing as `nobody'
2004-07-01 10:59:48 +00:00
Oliver Eikemeier
41c24e6c48 update to version 0.4.1
Use
  portaudit [packagename ...]
to check if package is listed as vulnerable
2004-06-25 01:21:20 +00:00
Oliver Eikemeier
8d9c87c405 Add pkg-req file which was forgotten in the last commit. 2004-06-23 16:02:23 +00:00
Oliver Eikemeier
f5b10d70f9 Update to version 0.4, with a new `-f' option.
To check which of the current ports have known vulnerabilities, do

  portaudit -f /usr/ports/INDEX

This port requires pkg_install(-devel)>=20040623
2004-06-23 16:01:38 +00:00
Oliver Eikemeier
9dec4894a1 make expiry date customizable via daily_status_portaudit_expiry 2004-06-21 16:04:27 +00:00
Oliver Eikemeier
cfaf552880 Fetch the database from http://www.FreeBSD.org/ports/ first.
Thanks to:	kuriyama
2004-06-18 08:07:29 +00:00
Oliver Eikemeier
10813956a8 update to 0.3.1:
- use passive ftp by default, don't retry on failure [1]
- add a -C flag, portlint style
- don't keep databases that are tool old [2]

Requested by:	hubs [1]
Noticed by:	Nicolas Rachinsky <nicolas@rachinsky.de> [2]
2004-03-31 22:52:01 +00:00
Oliver Eikemeier
1832c23a94 Update to 0.3.
Since we are using the official VuXML database
the auditing should be pretty complete.

- mention web page
- add more mirrors, disabling .ru mirror (too much lag)
- allow combined options in portaudit shell script
- add sample configuration file
- use absolute paths for binaries, to ease use in crontab scripts [1]
- correct type in man page [2]

PR:		64005 [2]
Submitted by:	Tomasz Pilat <poncki@axelspringer.com.pl> [1]
		Nathan Dove <njdove@wafer.sandia.gov> [2]
2004-03-11 11:11:59 +00:00
Oliver Eikemeier
598dedc510 grammar
Submitted by:	will, nectar
2004-02-25 14:12:03 +00:00
Oliver Eikemeier
16af0c01c0 add a security contact 2004-02-25 12:47:13 +00:00
Oliver Eikemeier
6cd6202ef7 - bugfix: awk in -CURRENT accepts no regexes in RS, causing the database
update to fail

- add an install & deinstall message

Submitted by:	nectar & Ion-Mihai Tetcu <itetcu@apropo.ro>
2004-02-25 09:46:26 +00:00
Oliver Eikemeier
dd190f52fe update to 0.2:
- new command line tool
- new man page
- reworked database update code, incorporating feedback from
  Max Khon <fjoe>, Radim Kolar <hsn@netmag.cz> (PR 63066) and
  Ion-Mihai Tetcu <itetcu@apropo.ro> (PR 62655)
2004-02-21 21:19:41 +00:00
Oliver Eikemeier
5ef80c7ef0 Disable auditfile.txt until we decide on a database format,
two databases cause more confusion than it is worth.

portaudit uses ports/security/vuxml/vuln.xml in the meantime,
please commit your changes there and send feedback wich format
you prefer.

Currently we have to migrate gnats, mailman, monkey and some
apache versions.
2004-02-19 02:19:33 +00:00
Oliver Eikemeier
2ea4608d31 add bind, pine, samba 3.x 2004-02-17 12:28:13 +00:00
Oliver Eikemeier
2f1bc26f47 remove duplicate mutt entry, sorry. 2004-02-16 20:19:53 +00:00
Oliver Eikemeier
3fcca49ba6 add mutt and mailman 2004-02-16 19:14:24 +00:00
Oliver Eikemeier
f78667fc99 XFree86-Server font file buffer overflows 2004-02-16 18:41:05 +00:00
Oliver Eikemeier
c9d6de4408 add GNATS3 2004-02-16 15:02:04 +00:00
Oliver Eikemeier
dcb711e3ef require gaim version 0.75_6, since the vulnerability has been re-introduced
add libtool symlink vulnerability
2004-02-13 14:20:15 +00:00
Oliver Eikemeier
d873cb4b08 add fspd <= 2.8.1.3
PR:		62747
Submitted by:	Radim Kolar <hsn@netmag.cz>
2004-02-13 01:22:49 +00:00
Clement Laforet
88f171bfd3 Add mutt < 1.4.2 vulnerabilty. 2004-02-11 18:28:18 +00:00
Oliver Eikemeier
89e295c836 add an URL where at least somek kind of advisory for monkeyd can be found... 2004-02-11 11:54:29 +00:00
Clement Laforet
51242e4c41 Add entries for:
- www/apache13-ssl<1.3.29.1.53
	- www/monkey < 0.8.2
2004-02-11 00:07:28 +00:00
Oliver Eikemeier
14c08ca6ff add clamav<0.65_7
PR:		62586
2004-02-10 14:11:14 +00:00