Today I came across a paragraph on how to Identify vulnerabilities
debsecan
was mentioned. I downloaded and executed debsecan
and as a result I received a very long and shocking report.
EDIT
- I did run
debsecan --suite=stretch
- I am running debian stretch 9.9 with kernel 4.9.0-9-amd64
- My sources.list contains:
deb http://ftp.stw-bonn.de/debian/ stretch main deb-src http://ftp.stw-bonn.de/debian/ stretch main deb http://security.debian.org/debian-security stretch/updates main deb-src http://security.debian.org/debian-security stretch/updates main # stretch-updates, previously known as 'volatile' deb http://ftp.stw-bonn.de/debian/ stretch-updates main deb-src http://ftp.stw-bonn.de/debian/ stretch-updates main # Backports ### To install a package from Backports: apt-get -t stretch-backports install "package" deb http://deb.debian.org/debian stretch-backports main
First I thought using apt update && apt -y upgrade
would be enough to be up to date. But this does not seem to be the case when I see that regarding to debsecan I have so many tools with known exploits, especially those on high urgency. Just to mention a few: busybox, unrar, multiarch-support, bsdutils, mount, login, util-linux…
Then I checked CVE-2016-2779 util-linux (high urgency) for example.
Regarding to security-tracker.debian.org there is a fix in version 2.33.1-0.1 (buster, sid).
So I hoped I could upgrade that package somehow.
Do you have any advice how I can achieve that? I tried with apt-get -t stretch-backports install util-linux
but that didn't help.
As I have read I could upgrade to debian-testing as one option. Are there any other options?
Like my name already suggests, i am new to linux. This all is new to me. Until yesterday I thought I would always be up to date with my machines and now I see I am not.
I have edited my question because people pointed me to not use debsecan on an ubuntu installation because debsecan is not intended to be used inside ubuntu, although you can download it with apt from ubuntu repositories. No clue why you can download a tool that in the end is not meant to be used inside your distribution, but okay.
Best Answer
debsecan
uses a series of databases which record vulnerabilities and the availability of fixes; but those databases are only available for Debian suites. If you run it on a Ubuntu system, the results at minimum won’t account for security issues fixed in Ubuntu-specific releases, e.g. QEMU which receives security releases for Ubuntu which are separate from the Debian releases.In Debian, you would configure
debsecan
with the--suite
option or its package configuration (which you’d see by installing it withsudo apt install debsecan
, even in Ubuntu) to track whatever release you’re using; but the required information isn’t available for Ubuntu releases, sodebsecan
can’t be used in the same way for Ubuntu.If you look at all the CVEs listed in your report, I think you’ll find that the majority of them (and all the serious ones) are fixed in your release of Ubuntu, but that
debsecan
doesn’t know about those fixes. You’re using a support release of Ubuntu,apt update && apt upgrade
should be enough to keep you up-to-date (you’re always at risk from undiscovered vulnerabilities, and during the — hopefully short — window between discovery and the availability of fixes, and from mis-configuration; but that’s the case with any distribution).