[Openvas-discuss] Debian Local Security Checks out of date ?

Thomas Reinke lists at securityspace.com
Fri Aug 5 04:13:01 CEST 2011


Laurent Rossier wrote:
> Hi Thomas,
> 
> 03/08/2011 14:14, Laurent Rossier wrote :
>> 03/08/2011 04:26, Thomas Reinke wrote :
>>> Updates are coming.  There were a few delays after it was pointed out
>>> that a couple previous nasl scripts were incorrect.  This forced a
>>> re-evaluation of the generation process and a rework.
> 
> Thanks for having fixed this.
> 
>> Is it possible to also include the reported date in the
>> script_description (for example, 28 Jul 2011 for DSA 2288, available
>> here http://www.debian.org/security/2011/dsa-2288) ?
> 
> About that, I can give you a patch for the current nvts which adds this
> date in the description.
> But I don't have access to the generation process so I cannot modify it
> for the future ones.
> 

I don't see a particular problem with this, but I guess the bigger issue
in my mind is if this is something that should be done consistently
across ALL local security checks.  When we built the generators, we
tried to provide a level of consistency in how they were built across
all distributions.

What we've done, in general, is to keep the amount of information within
the test to a reasonable minimum (that is of course a subjective
judgement call), but to then reference other resources. That includes
always including within the script a reference to the actual advisory.

So I guess, at end of day, I would lean towards not putting that
information into the nasl (but that's a soft leaning - am willing
to be convinced otherwise).

Thomas



More information about the Openvas-discuss mailing list