Dear All, I just thought I would respond to some of the points people made about my scanrpm script. A couple of people mentioned that it ought to handle ranges of vulnerable versions rather than just single ones. This was certainly my intention originally, but then I looked at the possible forms that version strings can take and realised that parsing and comparing them could be tricky. Probably still possible, but difficult to cover all the cases. And the script at present has the great virtue of simplicity (only 55 non-comment lines at present)...more complexibility means more bugs and more unexpected behaviour. A compromise would be to allow regular expressions in the comparison; this should be easy to implement. Another idea is for keys such as "SEVERITY=x" [x=1..10] and "INFO='Remote Root Exploit'" to give you more information about the exploit...good idea. Felix Huber mentioned autoupdate (http://www.mat.univie.ac.at/~gerald/ftp/autoupdate/ ), which I see as a useful but complementary tool. In particular autoupdate only helps if a fixed package is already available...sometimes the only solution is to remove a package. The problem this script is trying to address is that it is currently very hard to be confident that you have acted on all the security alerts relevant to a release. You have to plough through a long series of alerts, some of them referring to updates which no longer exist. Any solution to this problem MUST involve SuSE producing a machine-readable list of either vulnerabilities or security fixes or (preferably) both. Bob -- ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691