package auditing in fedora
Jaigh Jaddo
jj at hildenhahn.com
Fri Aug 3 18:58:08 UTC 2007
There are several reasons for this.
1. Clearly there can be vulnerabilities that have not been fixed yet
or have been fixed and there has not been a package created yet. In
this case I would access my risk and disable the vulnerable service
as needed.
2. I am running a large enterprise and cannot risk upgrading packages
unless there is a clear reason to do so (ie. Security vulnerability).
Doing a global yum update is risking for the enterprise. It is fine
at home.
Thanks to all for the replies.
JJ
On Aug 3, 2007, at 7:13 AM, Todd Zullinger wrote:
> Sam Varshavchik wrote:
>> Jaigh Jaddo writes:
>>
>>> Is there a tool similar to freeBSD's portaudit? Something that will
>>> report packages that have known vulnerabilities.
>>
>> No. For the simple reason that a known vulnerability results in an
>> updated package. If you want to make sure that you're not running
>> any known vulnerability, run "yum update".
>
> There can be known vulnerabilities that are not fixed yet. I thought
> that was what Jaigh was asking about, and this is the sort of info
> that's in the fedora-security/audit files.
>
> --
> Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> We never reflect how pleasant it is to ask for nothing.
> -- Seneca
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
More information about the fedora-list
mailing list