#!/usr/local/bin/bash
# crappy wip script to check for vulnerable packages
#curl -s https://vuxml.FreeBSD.org/freebsd/9ca85b7c-1b31-11eb-8762-005056a311d1.html | sed -rn '/
CVE-/s/.*: (.*)<\/li>$/\1/p'
echo === host ===
Vulnerable=(`pkg audit -F | sed -rn '/is vulnerable/s/([^ ]+) .*/\1/p'`)
if [ "${#Vulnerable[@]}" = 0 ]; then
echo No vulnerable packages in host
else
echo Attempting to update host...
pkg update
for Vulnerability in "${Vulnerable[@]}"; do
echo Attempting to upgrade $Vulnerability in host...
pkg install $Vulnerability
echo
done
fi
echo
jails=(`sed -rn '/\{/s/^([^ #]+) .*/\1/p' < /etc/jail.conf`)
for jail in "${jails[@]}"; do
echo === jail $jail ===
Vulnerable=(`pkg -j $jail audit -F | sed -rn '/is vulnerable/s/([^ ]+) .*/\1/p'`)
if [ "${#Vulnerable[@]}" = 0 ]; then
echo No vulnerable packages in $jail.
else
for Vulnerability in "${Vulnerable[@]}"; do
echo $Vulnerability is vulnerable.
ProblemPackages+=($jail,$Vulnerability)
ProblemJails+=($jail)
done
fi
echo
done
echo
ProblemJails=(`tr ' ' '\n' <<< "${ProblemJails[@]}" | sort -u | tr '\n' ' '`)
for Jail in "${ProblemJails[@]}"; do
echo Attempting to update $Jail...
pkg -j $Jail update
done
echo
for Problem in "${ProblemPackages[@]}"; do
Jail=`cut -f1 -d"," <<< $Problem`
Package=`cut -f2 -d"," <<< $Problem`
echo Attempting to upgrade $Package in $Jail...
pkg -j $Jail install $Package
echo
done