David Wright wrote: > > On Monday, 11 May 2020 00:14:02 PDT Victor Sudakov wrote: > > > > > > What do you use to track vulnerabilites in your Debian hosts? What's the > > > general approach? Do we just rely upon unattended-upgrade to fetch and > > > install patched packages for us? > > > > Running unattended upgrades is generally a recommended way to keep the system > > up-to-date. It minimizes the time from update being published to installed. > > > > I got interested and installed debsecan on my laptop. Here is what man says: > > > > Much like the official Debian security advisories, debsecan's > > vulnerability tracking is mostly based on source packages. > > > > So it seems that it only knows about issues that were reported to source > > packages. The next logical step would be to grep bugtracker to see if this CVE > > was even reported to that package. > > Or you could check /usr/share/doc/openssl/changelog.Debian.gz > though it only shows up in version 1.1.1d-0+deb10u3 of course. > > $ zcat /usr/share/doc/openssl/changelog.Debian.gz | head I'm looking for a more generic tool to audit all installed packages and report vulnerable ones. > $ > > (I'm not sure why the OP is still running the previous version.) I downgraded it on purpose, to find a tool which would detect and report this package as vulnerable. The "debsecan" turned out to be the wrong tool. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
Attachment:
signature.asc
Description: PGP signature