Determine which software have outstanding security advisories

Reviewer: name contact BSD flavour

Reviewer: Chris Silva racerx@makeworld.com FreeBSD/OpenBSD

Concept

Recognize the importance of being aware of software security (((security))) vulnerabilities (((vulnerabilities))). Also recognize the third-party utilities which integrate with the BSD package(((package))) managers to determine which software has outstanding vulnerabilities.

Introduction

portaudit: system to check installed packages for known vulnerabilities (((portaudit)))

portaudit -a prints a vulnerability report for all installed packages

portaudit -F fetches current database from FreeBSD servers

portaudit -Fa (does both at one time, very useful)

TODO: mention enabling periodic portaudit script

Examples

The following is an example of using portaudit on FreeBSD. (The "-d" option prints the date of the vulnerability database.)

$ /usr/local/sbin/portaudit -Fda
New database installed.
Database created: Fri Jan 26 09:40:17 PST 2007
Affected package: php5-5.1.2_1
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>

1 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

Practice Exercises

More information

audit-packages(((audit-packages))) for Dragonfly and NetBSD; portaudit(((portaudit))) and vuxml(((vuxml))) for FreeBSD and OpenBSD

TODO: verify for OpenBSD?