On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote: > Hi All, > > After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date. > We`re using the package management system of Debian and all packages were updated (apt-get update & apt-get (dist-)upgrade) prior to the scan. > The vulnerability scanner most likely compares the version against that of the source code, which differs. > How can I tell which version in the debian package repository system corresponds to which version of the source code. http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version states that a debian package has a version number that is formatted as: [epoch:]upstream_version[-debian_revision] That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified). So, taking some examples from my system: bash: 4.1-3 -> Upstream: 4.1 acpid: 1:2.0.7-1squeeze4 -> Upstream: 2.0.7 etckeeper: 0.48 -> Upstream: 0.48 > That way I can whitelist these software packages in our vulnerability scans. You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested).
Attachment:
signature.asc
Description: Digital signature