[Openvas-discuss] Debian Local Security Checks out of date ?

Laurent Rossier laurent.rossier at via.ecp.fr
Fri Aug 5 09:22:30 CEST 2011


05/08/2011 04:13, Thomas Reinke wrote :
> I don't see a particular problem with this, but I guess the bigger issue
> in my mind is if this is something that should be done consistently
> across ALL local security checks.  When we built the generators, we
> tried to provide a level of consistency in how they were built across
> all distributions.
>
> What we've done, in general, is to keep the amount of information within
> the test to a reasonable minimum (that is of course a subjective
> judgement call), but to then reference other resources. That includes
> always including within the script a reference to the actual advisory.
>
> So I guess, at end of day, I would lean towards not putting that
> information into the nasl (but that's a soft leaning - am willing
> to be convinced otherwise).

I don't want to impose my point of vue (of course), but I think that the 
date of publication of the security advisory is a more relevant 
information than the whole description of the vulnerability.
I think that the more important when you make a local security check is 
to know if you are vulnerable, since when and how you can fix it (it has 
to be very short and straight).
If you would like more information about the vulnerability itself, you 
can read the official advisory by following the reference (and the CVE 
or any other information). I would not put the description (but just the 
summary) of the vulnerability into the nasl because it could be too 
long, confusing and not relevant for the check.

-- 
Laurent



More information about the Openvas-discuss mailing list