Ubuntu – Inconsistency between unattended-upgrade and debsecan

To install security updates automatically I use unattended-upgrade:

$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals

I also tried another tool called debsecan (homepage, currently on official repos) to list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it returns 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):

$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "CVE-20[0-2][0-9]" | sort | uniq -c
    3 CVE-2007
    2 CVE-2008
    8 CVE-2009
    3 CVE-2012
   14 CVE-2013
    9 CVE-2014
   42 CVE-2015
  173 CVE-2016
  948 CVE-2017
 3616 CVE-2018
 4158 CVE-2019
 3540 CVE-2020
    1 CVE-2021

Am I missing something?
There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?

Updates

Answer from someone on Ubuntu Security Team (2019):

In Ubuntu, landscape is the preferred solution for checking security update status.

We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.

debsecan should be either adjusted (for ubuntu) or removed
Seems debsecan read this file:
```
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
```
AFAIK (please correct me) since there is no API for Ubuntu Security Advisory (USN), the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.
Update 2020-05: UST2DSA

We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.
It is open source under Apache 2.0 and it is available here: https://github.com/BBVA/ust2dsa
Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.
If anybody want to test the result you just have to run this command in your current Ubuntu installation:
debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/

$ debsecan | grep "remotely exploitable, high urgency" | head CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency) CVE-2016-2776 bind9-host (remotely exploitable, high urgency) CVE-2017-14930 binutils-dev (remotely exploitable, high urgency) CVE-2017-8421 binutils-dev (remotely exploitable, high urgency) CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency) ...

Best Answer

Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.

The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:

I'm on 16.04, and of these CVEs:

CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage
and CVE-2018-8784 does not exist in 16.04.

So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.

Updates

Best Answer

Related Solutions

Ubuntu – Difference between PGP and GPG

Related Question