#!/usr/local/bin/bash # crappy wip script to check for vulnerable packages #curl -s https://vuxml.FreeBSD.org/freebsd/9ca85b7c-1b31-11eb-8762-005056a311d1.html | sed -rn '/
  • CVE-/s/.*: (.*)<\/li>$/\1/p' echo === host === Vulnerable=(`pkg audit -F | sed -rn '/is vulnerable/s/([^ ]+) .*/\1/p'`) if [ "${#Vulnerable[@]}" = 0 ]; then echo No vulnerable packages in host else echo Attempting to update host... pkg update for Vulnerability in "${Vulnerable[@]}"; do echo Attempting to upgrade $Vulnerability in host... pkg install $Vulnerability echo done fi echo jails=(`sed -rn '/\{/s/^([^ #]+) .*/\1/p' < /etc/jail.conf`) for jail in "${jails[@]}"; do echo === jail $jail === Vulnerable=(`pkg -j $jail audit -F | sed -rn '/is vulnerable/s/([^ ]+) .*/\1/p'`) if [ "${#Vulnerable[@]}" = 0 ]; then echo No vulnerable packages in $jail. else for Vulnerability in "${Vulnerable[@]}"; do echo $Vulnerability is vulnerable. ProblemPackages+=($jail,$Vulnerability) ProblemJails+=($jail) done fi echo done echo ProblemJails=(`tr ' ' '\n' <<< "${ProblemJails[@]}" | sort -u | tr '\n' ' '`) for Jail in "${ProblemJails[@]}"; do echo Attempting to update $Jail... pkg -j $Jail update done echo for Problem in "${ProblemPackages[@]}"; do Jail=`cut -f1 -d"," <<< $Problem` Package=`cut -f2 -d"," <<< $Problem` echo Attempting to upgrade $Package in $Jail... pkg -j $Jail install $Package echo done