-
Notifications
You must be signed in to change notification settings - Fork 10
/
cve-checker.sh
executable file
·142 lines (123 loc) · 3.6 KB
/
cve-checker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/bash
# Author: Andrew Howard
# To-do:
# Take RHEL version as argument
# Read CVE list from file and/or stdin?
# Print relevant RHSA next to recommended minimum package versions
# Sort packages by version number, and print only newest
RHELVER=6
LIST="CVE-2015-0001 CVE-2015-0002
CVE-2015-0003
CVE-2015-0004 CVE-2015-0005 CVE-2015-0006
CVE-2015-0007"
# Requires rpmdevtools
PREREQS="rpmdev-vercmp"
BAIL=0
for COMMAND in $PREREQS; do
which $COMMAND &>/dev/null
if [ $? -ne 0 ]; then
echo "Error: $COMMAND not found in PATH."
BAIL=1
fi
done
if [ $BAIL -ne 0 ]; then exit 0; fi
function newest() {
read NEWEST;
while read LINE; do
rpmdev-vercmp $NEWEST $LINE &>/dev/null
RETVAL=$?
if [ $RETVAL -eq 12 ]; then
NEWEST="$LINE"
fi
done
echo "$NEWEST"
}
#
# Report this run to AppStats
( curl -s https://appstats.rackspace.com/appstats/event/ \
-X POST \
-H "Content-Type: application/json" \
-d '{ "username": "andrew.howard",
"status": "SUCCESS",
"bizunit": "Enterprise",
"OS": "Linux",
"functionid": "N/A",
"source": "https://github.com/StafDehat/scripts/blob/master/cve-checker.sh",
"version": "1.0",
"appid": "cve-checker.sh",
"device": "N/A",
"ip": "",
"datey": "'$(date +%Y)'",
"datem": "'$(date +%-m)'",
"dated": "'$(date +%-d)'",
"dateh": "'$(date +%-H)'",
"datemin": "'$(date +%-M)'",
"dates": "'$(date +%-S)'"
}' & ) &>/dev/null
MINREQ=""
for CVE in $LIST; do
ERRATA=$( curl https://access.redhat.com/security/cve/$CVE 2>/dev/null |
sed -n '/<h2>Red Hat security errata<\/h2>/,/disclaimer/p' |
sed -n '/.*<td>.* Linux.* '$RHELVER'.*<\/td>.*/,/<\/tr>/p' |
sed -n 's/.*a href="https:\/\/rhn.redhat.com\/errata\/\(RHSA-[0-9]\+-[0-9]\+\).html".*/\1/p' |
sort -u )
if [ -z "$ERRATA" ]; then
echo "$CVE: No errata for RHEL$RHELVER (https://access.redhat.com/security/cve/$CVE)"
else
for RHSA in $ERRATA; do
echo "$CVE: $RHSA (https://rhn.redhat.com/errata/$RHSA.html)"
CVE=$( echo "$CVE" | sed 's/./ /g' )
MINREQ="$MINREQ
$( curl https://rhn.redhat.com/errata/$RHSA.html 2>/dev/null |
sed -n 's/.*>\s*\(.*el'$RHELVER'[0-9\-\._]*\)\.x86_64\.rpm\s*<.*/\1/p' |
sort -u ) "
done
fi
done
echo
echo "Affected packages:"
PKGS=$( echo "$MINREQ" |
sed -e 's/\([^.]*\).*/\1/' \
-e 's/\(.*\)-.*/\1/' \
-e 's/-[0-9][0-9]*$//' \
-e '/^\s*$/d' |
sort -u )
echo "$PKGS"
echo
echo "Minimum required versions:"
MINREQ=$(
for PKG in $PKGS; do
VERSION=$( grep -P "$PKG-\d+[-\.].*$" <<<"$MINREQ" |
sed "s/$PKG-//" |
newest )
echo "$PKG $VERSION"
done | column -t
)
echo "$MINREQ"
# Exit here 'cause we don't know where the script is running
exit 0
echo
echo "Installed versions:"
for PKG in $PKGS; do
VERSION=$( rpm -q --queryformat "%{VERSION}-%{RELEASE}.%{ARCH}\n" $PKG )
if [ $? -eq 0 ]; then
echo "$PKG $VERSION"
fi
done | column -t
echo
echo "These affected packages are not installed:"
rpm -q $PKGS | grep 'not installed' | cut -d\ -f2
echo
echo
echo "You need to update the following:"
while read LINE; do
PKG=$( echo "$LINE" | awk '{print $1}' )
VERSION=$( echo "$LINE" | awk '{print $2}' )
INSTALLED=$( rpm -q $PKG )
if [ $? -eq 0 ]; then
rpmdev-vercmp $INSTALLED $PKG-$VERSION &>/dev/null
if [ $? -ne 11 ]; then
echo $PKG
fi
fi
done <<<"$MINREQ"