yvc -- a software package vulnerability checker
yvc [-hv] [-c file] [-l file] [pkg [...]]
The yvc tool compares the given package name against the list of known vulnerabilities and reports any security issues. This output contains the name and version of the package, the type of vulnerability, and a URL for further information for each vulnerable package.
The following options are supported by yvc:
yvc takes as input a list of package names. If no package names are given on the command-line, yvc will read them from stdin.
Input from stdin and from the command-line can be combined: if yvc encounters “-” as an argument, it will read from stdin at that point.
yvc will then try to match each package against a list of known vulnerabilities.
The list of known vulnerabilities is taken from a text file. In this file, each line lists the package and vulnerable versions, the type of exploit, and an Internet address for further information:
<package pattern> <type> <url>
The type of exploit can be any text, although some common types of
exploits listed are:
+o cross-site-html
+o cross-site-scripting
+o denial-of-service
+o file-permissions
+o local-access
+o local-code-execution
+o local-file-read
+o local-file-removal
+o local-file-write
+o local-root-file-view
+o local-root-shell
+o local-symlink-race
+o local-user-file-view
+o local-user-shell
+o privacy-leak
+o remote-code-execution
+o remote-command-inject
+o remote-file-creation
+o remote-file-read
+o remote-file-view
+o remote-file-write
+o remote-key-theft
+o remote-root-access
+o remote-root-shell
+o remote-script-inject
+o remote-server-admin
+o remote-use-of-secret
+o remote-user-access
+o remote-user-file-view
+o remote-user-shell
+o unknown
+o weak-authentication
+o weak-encryption
+o weak-ssl-authentication
The list of vulnerabilities is stored per default in two files under /usr/local/var/yvc/.
At startup, yvc reads the system-wide configuration file /usr/local/etc/yvc.conf. See yvc.conf(5) for details.
yvc can be run via cron(8) , to check the installed packages on a regular basis. One might wish to invoke yvc as:
pkg_info | awk ‘{print $1}’ | yvc
To check the packages ‘zsh-4.2.6’ and ‘sudo-1.6.8pl1’ against any known vulnerabilities:
yvc zsh-4.2.6 sudo-1.6.8pl1
To check all rpms on the host ‘hostname.yahoo.com’:
ssh hostname.yahoo.com “rpm -qa” | yvc
The yvc utility exits 0 on success, and >0 if an error occurs.
/usr/local/var/yvc/fbvlist
A list of known vulnerabilities in the FreeBSD
ports collection derived from
http://www.freebsd.org/ports/portaudit/.
/usr/local/var/yvc/nbvlist
A list of vulnerabilities provided by the
NetBSD Project. See http://www.netbsd.org/support/security/#check-pkgsrc
for details.
/usr/local/var/yvc/rh4vlist
A list of vulnerabilities known in RHEL4,
derived from http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2
.
/usr/local/var/yvc/rh5vlist
A list of vulnerabilities known in RHEL5,
derived from http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2
.
fetch-vlist(1) , rpm(1) , yinst(1) , yvc.conf(5)
yvc was conceptually based on NetBSD’s “audit-packages” command. It was originally written by Jan Schaumann <jschauma@yahoo-inc.com> in July 2008.
Please report bugs and feature requests to the author.