[Openvas-discuss] Debian Local Security Checks out of date ?
laurent.rossier at via.ecp.fr
Fri Aug 5 09:22:30 CEST 2011
05/08/2011 04:13, Thomas Reinke wrote :
> I don't see a particular problem with this, but I guess the bigger issue
> in my mind is if this is something that should be done consistently
> across ALL local security checks. When we built the generators, we
> tried to provide a level of consistency in how they were built across
> all distributions.
> What we've done, in general, is to keep the amount of information within
> the test to a reasonable minimum (that is of course a subjective
> judgement call), but to then reference other resources. That includes
> always including within the script a reference to the actual advisory.
> So I guess, at end of day, I would lean towards not putting that
> information into the nasl (but that's a soft leaning - am willing
> to be convinced otherwise).
I don't want to impose my point of vue (of course), but I think that the
date of publication of the security advisory is a more relevant
information than the whole description of the vulnerability.
I think that the more important when you make a local security check is
to know if you are vulnerable, since when and how you can fix it (it has
to be very short and straight).
If you would like more information about the vulnerability itself, you
can read the official advisory by following the reference (and the CVE
or any other information). I would not put the description (but just the
summary) of the vulnerability into the nasl because it could be too
long, confusing and not relevant for the check.
More information about the Openvas-discuss