Finding list of packages vulnerable to a given CVE
Apart from downloading the redhat OVAL files, and interpreting them to find vulnerable packages, is there any way to get a relation ship between CVE's and affected packages?
We have looked at Satellite (5.6). And indeed it does have an API call (listPackages) that is documented as returning a list of affected packages for a particular Errata (Which can easily be related to CVE's), However affected in this case appears to be a list of packages that FIX a given problem. Not those that are vulnerable to it. As some vulnerabilities (e.g. the recent openSSL issues) get introduced and fixed fairly quickly, I don't want to mark anything PRIOR to the fixed version as that causes issues due to all the false positives.
Does anyone have a solution?
- I also know that if we registered a server with satellite we'd be able to get a list from the systemnamespace (system.getRelevantErrata.. & getRelevantErrataByType, But I need to be able to do this for arbitrary packages. Not necessarily ones installed on servers).
TIA
Hamish
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
