Package: wnpp Severity: wishlist Owner: Daniel Stender <sten...@debian.org>
* Package name : vuls Version : 0.1.1 Upstream Author : Kota Kanbe <kotaka...@gmail.com> * URL : https://github.com/future-architect/vuls * License : GPL-3 Programming Lang: Google Go Description : package inventory scanner for CVE vulnerabilities This is scanner which checks the package inventory against a local copy of the National Vunerabilities Database (NVD) of vulnerabilities according to their CVE (Common Vulnerabilities and Exposures) indentifiers. The backends supports a couple of OSs (Debian, RHEL, CentOS, Amazon Linux). Scanning servers over the network is possible. A typical scan goes like (a Ubuntu 12.04 server via SSH): <cut> $ ./vuls scan [Apr 10 16:21:02] INFO [localhost] Validating Config... [Apr 10 16:21:02] INFO [localhost] Detecting OS... [Apr 10 16:21:06] INFO [localhost] Scanning vulnerabilities... [Apr 10 16:21:06] INFO [localhost] Check required packages for scanning... [Apr 10 16:21:06] INFO [localhost] Scanning vulnerable OS packages... {...} [Apr 10 16:21:44] INFO [myserver:22] (1/22) Scanned libisccfg82-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (2/22) Scanned libisc83-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (3/22) Scanned libisccc80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (4/22) Scanned dnsutils-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (5/22) Scanned libgnutls26-2.12.14-5ubuntu3.11 : [] [Apr 10 16:21:44] INFO [myserver:22] (6/22) Scanned liblwres80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (7/22) Scanned ca-certificates-20141019ubuntu0.12.04.1 : [] [Apr 10 16:21:44] INFO [myserver:22] (8/22) Scanned bind9-host-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (9/22) Scanned libbind9-80-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (10/22) Scanned libdns81-1:9.8.1.dfsg.P1-4ubuntu0.15 : [CVE-2016-1285 CVE-2016-1286] [Apr 10 16:21:44] INFO [myserver:22] (11/22) Scanned libpcre3-8.12-4ubuntu0.1 : [CVE-2015-2327 CVE-2015-8382 CVE-2015-8385 {...} [Apr 10 16:21:44] INFO [myserver:22] (12/22) Scanned perl-base-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381] [Apr 10 16:21:44] INFO [myserver:22] (13/22) Scanned libpam0g-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583] [Apr 10 16:21:44] INFO [myserver:22] (14/22) Scanned openssl-1.0.1-4ubuntu5.33 : [CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 {...} [Apr 10 16:21:44] INFO [myserver:22] (15/22) Scanned libpam-modules-bin-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583] [Apr 10 16:21:44] INFO [myserver:22] (16/22) Scanned linux-generic-lts-trusty-3.13.0.79.71 : [] [Apr 10 16:21:44] INFO [myserver:22] (17/22) Scanned libpam-modules-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583] [Apr 10 16:21:44] INFO [myserver:22] (18/22) Scanned perl-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381] [Apr 10 16:21:45] INFO [myserver:22] (19/22) Scanned libssl1.0.0-1.0.1-4ubuntu5.33 : [CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 {...} [Apr 10 16:21:45] INFO [myserver:22] (20/22) Scanned libpam-runtime-1.1.3-7ubuntu2 : [CVE-2015-3238 CVE-2013-7041 CVE-2014-2583] [Apr 10 16:21:46] INFO [myserver:22] (21/22) Scanned tzdata-2015g-0ubuntu0.12.04 : [] [Apr 10 16:21:46] INFO [myserver:22] (22/22) Scanned perl-modules-5.14.2-6ubuntu2.4 : [CVE-2013-7422 CVE-2014-4330 CVE-2016-2381] [Apr 10 16:21:46] INFO [myserver:22] Fetching CVE details... [Apr 10 16:21:46] INFO [myserver:22] Done [Apr 10 16:21:46] INFO [localhost] Scanning vulnerable software specified in the CPE... [Apr 10 16:21:46] INFO [localhost] Reporting... myserver (ubuntu 12.04) ======================= CVE-2016-0799 10.0 The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVE-2016-0705 10.0 Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. CVE-2016-0798 7.8 Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c. {...} </cut> That's quite useful to have available for administration. I'm going to maintain this within the Pkg-go group, the binary is going to be "vuls". WNPP bugs for the needed dependencies are coming up. Thank you very much, DS
