RHSA vs CVE
Dmitry Makovey
dmitry at athabascau.ca
Wed Jun 13 15:11:04 UTC 2012
Hi everybody,
Background:
we're currently going through external security audit and it's report
enumerates things in CVE terms which paints things very "black-and-white" -
they rely on reported package versions vs. actual vulnerabilities. To address
this I have created a tool:
https://github.com/droopy4096/rhsa_cve/blob/master/rhsa_cve/rhsa_cve_check.py
what it does is it fetches RHSA mapped to CVE, CPE dictionary and CVE
databases from RedHat and Mitre.
Problem:
Working on above tool I hav erealized that mappings are "fuzzy" to generate
reliable report. Example: CVE-2009-3094 maps to
RHSA-2009:1580,RHSA-2010:0602,RHSA-2009:1579,RHSA-2010:0011,RHSA-2009:1461
Now here's the trick - using RHSA data above I end up with packages like
postgresql* in the mix where CVE-2009-3094 specifically refers to a single
package - httpd (except it can't be reliably extracted from any of the
official sources as far as I can tell)
The whole purpose of above is to get CVE information, find out which packages
need to be verified, then generate the script that can be ran on a machine
checking whether CVE is listed in the changelog as a confirmation that issue
has been addressed (even though package version has not changed).
Question:
Is there a better way of mapping CVE to RHSA/packages? How are others dealing
with similar situation? Manual response (esp. that every audit comes up with
repeats of CVE's we have appealed on the last round) doesn't seem feasible. We
have increased number of external audits as well so Crafting response to each
one becomes burdensome.
--
Exterminate! Exterminate!
-- Daleks
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
More information about the redhat-sysadmin-list
mailing list