-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy pathChangeLog
301 lines (226 loc) · 10.4 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
**
** This Changelog is kept for historical reasons.
** Please use the git commit log for more information.
**
** https://github.com/sjvermeu/cvechecker/commits/master
**
** (2017-03-27) Release 3.8
** (2017-03-13) Sven Vermeulen
- Fix bug about CVE data not being taken (seen as already existing
while it is not)
** (2017-03-01) Release 3.7
** (2017-03-01) Sven Vermeulen
- Support sequences in CVE longer than 4 positions
** (2016-09-19) Sven Vermeulen
- Use nvdcve-2.0-Modified.xml with capitalized M
** (2015-11-07) Release 3.6
** (2015-11-06) Sven Vermeulen
- Download compressed NVD XML files
** (2015-08-08) Christopher Warner
- Add .gitignore cleanups
- Remove AM_PROG_CC_C_O as AC_PROG_CC was rewritten to implement the check for C compiler supporting -c and -o options together
- Remove deprecated form of macro call for AM_INIT_AUTOMAKE
- AC_MSG_WARN([Please make sure pkg-config is installed and autoreconf run])
- INCLUDES has been depreacted for AM_CPPFLAGS
- Make sqlite the default DB
- Update depcomp
- Update missing
- Refresh install-sh
- README to README.md minor cleanup
- Delete README
- Update this ChangeLog
** (2014-07-07) Sven Vermeulen
- Drop all .svn dirs (thx to Jason Zaman)
** (2014-02-28) Christopher Meng
- Add check for wget availability
** (2013-10-20) Sven Vermeulen
- Do not reuse rc variable when checking upgrade return codes (as rc
contained a string length)
** (2013-09-30) Release 3.5
** (2013-09-20) Sven Vermeulen
- Add LICENSE to distribution archive
- Update feature request document with request for handling false
positives (ack/ignore) from within cvechecker
** (2013-09-17) Sven Vermeulen
- Report by cvereport should show all files in scope
** (2013-09-17) Release 3.4
** (2013-09-17) Sven Vermeulen
- Quote variables in pullcves, otherwise the tests (such as "is empty")
have wrong return values (resulting in a hanging pullcves command)
** (2013-09-16) Release 3.3
** (2013-08-17) Anne Mulhern <e-mail redacted>
- Support configuration file lookup through the CVECHECKER_CONFFILE
environment variable
** (2013-08-17) Sven Vermeulen
- Some CVEs mention CPEs without version
- Update documents with latest developments
** (2013-08-15) Sven Vermeulen
- Further improve error handling
- Update default location for versions.dat to github URL
- Remove versions.dat with a pullcves cleancache
- Feed tb_cpe_versions table if it is not "full"
- Allow binlist to be stdin if "-" is provided
** (2013-08-14) Sven Vermeulen
- Exit gracefully in pullcves
** (2013-08-14) Anne Mulhern <e-mail redacted>
- Handle cvechecker return codes in pullcves
- Properly bail out if CPE data is not correctly formatted
** (2013-08-11) Anne Mulhern <e-mail redacted>
- Fix zero cpeids in tb_binmatch table
- Improve return code handling in sqlite code
** (2013-08-11) Sven Vermeulen <[email protected]>
- Check on CPE field sizes to prevent potential overflows
- Check on CVE field sizes before loading into database
- Use LARGEFIELDSIZE for contentmatch column (tb_versionmatch) and
C-type variables related to the content match
- Introduce database fixing for MySQL
- Remove unused variables
** (2013-07-08) Sven Vermeulen <[email protected]>
- Handle cve data file open failures correctly
- Bail out when SQL instruction in SQLite fails
** (2013-02-04) Sven Vermeulen <[email protected]>
- Add fix for cpe:language when additional ':' was provided (Thanks to
Arnaud Fileux)
** (2012-11-25) Release 3.2
** (2012-11-25) Sven Vermeulen <[email protected]>
- Fix declarations for dummy database handlers wrt cvss scoring
** (2012-05-13) Sven Vermeulen <[email protected]>
- Use memset in zero_string
- Clean up buffers before reusing (suggestion by Francesco Colista)
** (2012-04-20) Sven Vermeulen <[email protected]>
- Add check on xsltproc (reported by Scott Garman)
** (2012-01-22) Sven Vermeulen <[email protected]>
- Add CVSS scoring information to the report
** (2011-07-21) Sven Vermeulen <[email protected]>
- Update buffer size checks
** (2011-04-13) Release 3.1
** (2011-04-11) Sven Vermeulen <[email protected]>
- Sanitize hostname/userdefkey in MySQL implementation
- Fix weird bug when both sqlite and mysql support is requested
** (2011-04-11) Release 3.0
** (2011-04-11) Sven Vermeulen <[email protected]>
- Fix reporting on existing entries in the database
- Fix reporting on software installation (header mismatch)
- Fix cpepart error in reporting (MySQL)
- Update documentation and manual pages
- Update MySQL to InnoDB and use foreign keys for referential
integrity
** (2011-04-10) Sven Vermeulen <[email protected]>
- Improve CVE loadtime
- Enhance pullcves to deduce dates rather than hardcode them
- Updates on documentation and manual pages
** (2011-04-01) Sven Vermeulen <[email protected]>
- More MySQL support
** (2011-04-01) Sven Vermeulen <[email protected]>
- Pull up fieldsize from 64 to 128 characters
- Make sizes a bit more manageable
- Drop some dead code
** (2011-03-24) Sven Vermeulen <[email protected]>
- Start framework to support MySQL
** (2011-02-24) Sven Vermeulen <[email protected]>
- Allow pullcves to pull information of 2011 too
** (2011-02-21) Sven Vermeulen <[email protected]>
- Support watchlist (provide software titles not detected by
cvechecker)
** (2010-12-01) Release 2.0
** (2010-12-01) Sven Vermeulen <[email protected]>
- Make scripts more generic (not Gentoo specific)
** (2010-11-27) Sven Vermeulen <[email protected]>
- Add manpages for scripts
** (2010-11-26) Sven Vermeulen <[email protected]>
- Do not allow unquoted " characters in contentmatch
- Add scripts to provide easier versions.dat rules
** (2010-11-02) Sven Vermeulen <[email protected]>
- Add index on tb_cve for CPE data
- Cleanup of code
** (2010-11-01) Sven Vermeulen <[email protected]>
- Add support for 'higher version' reporting (but still
has a lot of quirks to resolve).
** (2010-10-30) Sven Vermeulen <[email protected]>
- Adding delta processing of binary files
** (2010-10-01) Release 1.0
** (2010-09-10) Sven Vermeulen <[email protected]>
- Add link to CVE details in report
- More error handling / buffer overflow fixes
** (2010-09-08) Release 0.6
** (2010-09-08) Sven Vermeulen <[email protected]>
- Add indexes on sqlite3 databases (performance impact)
- Add support to view detected software
** (2010-09-04) Sven Vermeulen <[email protected]>
- Fix bug in pullcves when it is an initial pull (which failed)
** (2010-09-04) Sven Vermeulen <[email protected]>
- Use posix sh for distributed scripts
- Do not distribute previous sample files (part of cvereport now)
** (2010-09-03) Sven Vermeulen <[email protected]>
- Use '...' around files in strings command
- Fix buffer overrun in search_and_substitute_group
- Disallow files with "," in their name
- CVEs whose CPE shows less information than those stored in the
database should be shown as vulnerabilities (say "foo version 1.2" is
vulnerable, then "foo version 1.2, edition 3" should be marked as
vulnerable as well).
- Create tables for tb_cpe_(aho)_64 (after all, we created the
database as well)
- Fix bug in regular expression group substitution
- Automatically update database (fix process)
** (2010-09-02) Release 0.5
** (2010-09-01) Nigel Horne <[email protected]>
- Update configure.ac for FreeBSD builds
- Update configure.ac for NetBSD builds
- Lower libconfig requirement to 1.3
** (2010-09-01) Sven Vermeulen <[email protected]>
- Add /usr/local/include for FreeBSD builds
- Lower autoconf/automake required versions
- Add cvereport script for reporting purposes
** (2010-08-29) Sven Vermeulen <[email protected]>
- Update pullcves to only import differences with last pull (for CVEs)
- Add "cleancache" in pullcves
** (2010-08-26) Sven Vermeulen <[email protected]>
- Random code cleanups, also build with -Wall now
** (2010-08-25) Release 0.4
** (2010-08-25) Sven Vermeulen <[email protected]>
- Remove unneeded error message (cosmetic)
- XSL transformation scripts are not distributed properly
- Add pullcves manual page
- Support different returncodes for pullcves + only download/import
when needed (feature request of Nigel Horne <[email protected]>)
** (2010-08-04) Nigel Horne <[email protected]>
- Add cvedebian script as integrator between cvechecker and Debian's
security information
** (2010-08-24) Sven Vermeulen <[email protected]>
- Reorganize project repository (src, docs,data, conf, scripts)
- Fix bug where file->cpe matches keep on being added instead of
overwritten
- Add better description on error messages (reported by Nigel Horne
- Add check for argp.h (reported by Nigel Horne <[email protected]>)
- Add feature requests documentation
- Add gentoo scripts to help add new version matching data
** (2010-08-20) Release 0.3
** (2010-08-20) Sven Vermeulen <[email protected]>
- Remove debug/verbose stuff, gdb is far too powerful to ignore
- Make CSV output version-specific in case future versions deviate
from the current CSV output format
- Add example files for reporting
** (2010-08-18) Sven Vermeulen <[email protected]>
- Add "--no-check-certificate" to wget calls to allow for sourceforge
pulls even when the sourceforge site's certificates are not known
(reported by Nigel Horne <[email protected]>)
** (2010-08-17) Sven Vermeulen <[email protected]>
- Fix filename matching (bug was that only full names matched)
- Add some debugging support in the application (show SQL commands)
** (2010-08-16) Sven Vermeulen <[email protected]>
- Support for reading /proc/version (not executable, we shouldn't only
focus on executables, some libraries are interesting as well) to get
the Linux kernel version
** (2010-08-16) Release 0.2
** (2010-08-16) Sven Vermeulen <[email protected]>
- Fix configure.ac and Makefile.am to better conform with
autotools/automake rules and guidelines (for instance, now supports
"make install" command)
- Fix compiler warnings about int versus size_t (%d should be %uz)
- Update pullcves, now support pulling versions.dat file as well
- Update cvechecker, now checks /usr/local/etc/cvechecker.conf as well
** (2010-08-14) Release 0.1
** (2010-08-14) Sven Vermeulen <[email protected]>
- Initial release