Re: debsecan does not report a vulnerability?

To: debian-user@lists.debian.org
Subject: Re: debsecan does not report a vulnerability?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Mon, 11 May 2020 22:13:50 -0500
Message-id: <[🔎] 20200512031350.GA15182@wren.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 3530037.SaiYeG7Y1q@amos>
References: <[🔎] 20200507091127.GA16337@admin.sibptus.ru> <[🔎] 2097573.UgkeERuBhl@amos> <[🔎] 20200511071402.GA84640@admin.sibptus.ru> <[🔎] 3530037.SaiYeG7Y1q@amos>

On Mon 11 May 2020 at 19:53:46 (-0700), Ihor Antonov wrote:
> On Monday, 11 May 2020 00:14:02 PDT Victor Sudakov wrote:
> > 
> > What do you use to track vulnerabilites in your Debian hosts? What's the
> > general approach? Do we just rely upon unattended-upgrade to fetch and
> > install patched packages for us?
> 
> Running unattended upgrades is generally a recommended way to keep the system 
> up-to-date. It minimizes the time from update being published to installed.
> 
> I got interested and installed debsecan on my laptop. Here is what man says:
> 
>        Much like the official Debian security advisories, debsecan's
>        vulnerability tracking is mostly based on source packages.
>        
> So it seems that it only knows about issues that were reported to source 
> packages. The next logical step would be to grep bugtracker to see if this CVE 
> was even reported to that package. 

Or you could check /usr/share/doc/openssl/changelog.Debian.gz
though it only shows up in version 1.1.1d-0+deb10u3 of course.

$ zcat /usr/share/doc/openssl/changelog.Debian.gz | head
openssl (1.1.1d-0+deb10u3) buster-security; urgency=medium
  * CVE-2020-1967 (Segmentation fault in SSL_check_chain).
 -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 20 Apr 2020 22:23:01 +0200
openssl (1.1.1d-0+deb10u2) buster-security; urgency=medium
  * Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
$ 

(I'm not sure why the OP is still running the previous version.)

> > I come from the FreeBSD world where there are two distinct mechanisms to
> > fix vulnerabilites: one for the base system (FreeBSD Security Advisories
> > and freebsd-update to install binary updates to the base system) and
> > another for third-party software from the ports collection ("pkg audit
> > -F" instead of security advisories, "pkg upgrade" to install up-to-date
> > patched versions of packages).
> > 
> > What do we have here, or where can I read more about it?
> There are also Debian security advisories:
> https://www.debian.org/security/ and debian-security-announce mailing list
> 
> Separately - I also happened to run a couple of FreeBSD boxes, could you share 
> your motivation for switching to Debian? 

Cheers,
David.

Reply to:

Follow-Ups:
- Re: debsecan does not report a vulnerability?
  - From: Victor Sudakov <vas@sibptus.ru>

References:
- debsecan does not report a vulnerability?
  - From: Victor Sudakov <vas@sibptus.ru>
- Re: debsecan does not report a vulnerability?
  - From: Ihor Antonov <ngor@antonovs.family>
- Re: debsecan does not report a vulnerability?
  - From: Victor Sudakov <vas@sibptus.ru>
- Re: debsecan does not report a vulnerability?
  - From: Ihor Antonov <ihor@antonovs.family>

Prev by Date: Re: debsecan does not report a vulnerability?
Next by Date: motivation for switching to Debian? (was: Re: debsecan does not report a vulnerability?)
Previous by thread: Re: debsecan does not report a vulnerability?
Next by thread: Re: debsecan does not report a vulnerability?
Index(es):
- Date
- Thread