X-Original-To: alpine-devel@lists.alpinelinux.org Received: from smtp.mauras.ch (smtp.mauras.ch [163.172.199.81]) by lists.alpinelinux.org (Postfix) with ESMTP id 2FEA25C4386 for ; Thu, 3 Nov 2016 09:45:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mauras.ch; s=20160502; h=Message-ID:Subject:To:From:Date:Content-Transfer-Encoding: Content-Type:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=atsuB2pWpkm051JUiMZK7HBCwMjWmmro9vq/4Sfer8I=; b=d2TLTVHMACOBb+SjWLW/UtZyR4 RF4bBeEX5vlk1zKBYzp4RfnQpkbcjHcaUG9IoxZ7efYC6Gryjo1SsHisobo0JL7xb94U8MzbPGkpu 2t8DUFv52Pd1UwIQAXQ2+iGpJ4zTSHxnujS7uAmX5RwD916Dpu5m6PxwnaBpUxQy4IH0=; Received: from www.mauras.ch ([195.154.39.207] helo=mail.mauras.ch) by smtp.mauras.ch with esmtpsa (TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1c2EaP-0004zs-7B for alpine-devel@lists.alpinelinux.org; Thu, 03 Nov 2016 10:45:29 +0100 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 03 Nov 2016 10:45:27 +0100 From: Olivier Mauras To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] [APK] Feature request - Changelog of updates Message-ID: X-Sender: olivier@mauras.ch User-Agent: Roundcube Webmail/1.2.0 X-Authenticated-Sender: olivier@mauras.ch Hello, I already discussed this point with some of the team on IRC and the conclusion has been to take it up the list. Every major distribution includes a "changelog" option in their package manager. This makes things very easy to list all the CVEs affecting your network. For example "yum --changelog update" outputs something like that for each package: ChangeLog for: libxml2-2.9.1-6.el7_2.3.x86_64 * Mon Jun 6 14:00:00 2016 Daniel Veillard - libxml2-2.9.1-6.3 - Heap-based buffer overread in xmlNextChar (CVE-2016-1762) - Bug 763071: Heap-buffer-overflow in xmlStrncat (CVE-2016-1834) - Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup (CVE-2016-1840) - Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal (CVE-2016-1838) - Bug 758605: Heap-based buffer overread in xmlDictAddString (CVE-2016-1839) - Bug 759398: Heap use-after-free in xmlDictComputeFastKey (CVE-2016-1836) - Fix inappropriate fetch of entities content (CVE-2016-4449) - Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837) - Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835) - Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447) - Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833) - Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705) - Avoid building recursive entities (CVE-2016-3627) - Fix some format string warnings with possible format string vulnerability (CVE-2016-4448) - More format string warnings with possible format string vulnerability (CVE-2016-4448) As you can see, it's then fairly easy to parse the output to get a list of the CVEs. I'd love to see an "apk upgrade -s --changelog" option that would mimic this behaviour. Ideally only the changelog between installed version and available update should be displayed The questions are: - How to do it? - How to get the needed informations? Cheers, -O. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---