Mail archive
alpine-devel

[alpine-devel] [APK] Feature request - Changelog of updates

From: Olivier Mauras <olivier_at_mauras.ch>
Date: Thu, 03 Nov 2016 10:45:27 +0100

Hello,

I already discussed this point with some of the team on IRC and the
conclusion has been to take it up the list.

Every major distribution includes a "changelog" option in their package
manager. This makes things very easy to list all the CVEs affecting your
network.

For example "yum --changelog update" outputs something like that for
each package:

ChangeLog for: libxml2-2.9.1-6.el7_2.3.x86_64
* Mon Jun 6 14:00:00 2016 Daniel Veillard <veillard_at_redhat.com> -
libxml2-2.9.1-6.3
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
- Bug 763071: Heap-buffer-overflow in xmlStrncat
<https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)
- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup
<https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840)
- Bug 758588: Heap-based buffer overread in
xmlParserPrintFileContextInternal
<https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838)
- Bug 758605: Heap-based buffer overread in xmlDictAddString
<https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839)
- Bug 759398: Heap use-after-free in xmlDictComputeFastKey
<https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836)
- Fix inappropriate fetch of entities content (CVE-2016-4449)
- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral
(CVE-2016-1837)
- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
- Add missing increments of recursion depth counter to XML parser.
(CVE-2016-3705)
- Avoid building recursive entities (CVE-2016-3627)
- Fix some format string warnings with possible format string
vulnerability (CVE-2016-4448)
- More format string warnings with possible format string vulnerability
(CVE-2016-4448)

As you can see, it's then fairly easy to parse the output to get a list
of the CVEs.

I'd love to see an "apk upgrade -s --changelog" option that would mimic
this behaviour. Ideally only the changelog between installed version and
available update should be displayed

The questions are:
   - How to do it?
   - How to get the needed informations?


Cheers,
-O.


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Nov 03 2016 - 10:45:27 GMT