> I look at this a while back, well over a year i think now. And the > problem was that openvas does not actually test for the Vuln but it > tries to use content to assume the exploits will not work. That is a > very risky situation to get into. In terms of a proper security assessment; this is a debate that we have within the OpenVAS developer community and I am actually on your side with this. I won't bother the Centos list with more details than that unless anyone specifically wants me to go into greater details except to say that this is not technical limitation, just a policy of the authors who are writing the testing scripts. However, in terms of simply looking to see what known patches are missing, the current method of assessment is sufficient and complete. The question assumes that patches already exist and therefore they can be queried for in the RPM database to see if they exist (with the needed info encoded in the release strings). If we are talking about missing patches that do NOT exist, IOW, looking for vulnerabilities that the Centos devs or upstream have not addressed yet... then other tools may be more appropriate. -geoff --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/