Re: debsecan does not report a vulnerability?

To: debian-user@lists.debian.org
Subject: Re: debsecan does not report a vulnerability?
From: Victor Sudakov <vas@sibptus.ru>
Date: Tue, 12 May 2020 10:47:00 +0700
Message-id: <[🔎] 20200512034700.GB15351@admin.sibptus.ru>
In-reply-to: <[🔎] 3530037.SaiYeG7Y1q@amos>
References: <[🔎] 20200507091127.GA16337@admin.sibptus.ru> <[🔎] 2097573.UgkeERuBhl@amos> <[🔎] 20200511071402.GA84640@admin.sibptus.ru> <[🔎] 3530037.SaiYeG7Y1q@amos>

Ihor Antonov wrote:
> > > > Have I asked in the wrong list? Which list would be more appropriate?
> > > 
> > > Hi Victor,
> > > 
> > > I think this is the right list. But it seems that the message got lost
> > > somehow in the high volume. I have not used debescan personally, so I am
> > > replying simply
> > > to keep this thread alive hoping to get it more visibility
> > 
> > Hi Ihor!
> > 
> > What do you use to track vulnerabilites in your Debian hosts? What's the
> > general approach? Do we just rely upon unattended-upgrade to fetch and
> > install patched packages for us?
> 
> Running unattended upgrades is generally a recommended way to keep the system 
> up-to-date. It minimizes the time from update being published to installed.
> 
> I got interested and installed debsecan on my laptop. Here is what man says:
> 
>        Much like the official Debian security advisories, debsecan's
>        vulnerability tracking is mostly based on source packages.
>        
> So it seems that it only knows about issues that were reported to source 
> packages. The next logical step would be to grep bugtracker to see if this CVE 
> was even reported to that package. 

So probably debsecan is the wrong tool to determine which of the
packages installed on the particular host are vulnerable? What is the
right tool then?

> 
> > I come from the FreeBSD world where there are two distinct mechanisms to
> > fix vulnerabilites: one for the base system (FreeBSD Security Advisories
> > and freebsd-update to install binary updates to the base system) and
> > another for third-party software from the ports collection ("pkg audit
> > -F" instead of security advisories, "pkg upgrade" to install up-to-date
> > patched versions of packages).
> > 
> > What do we have here, or where can I read more about it?
> There are also Debian security advisories:
> https://www.debian.org/security/ and debian-security-announce mailing list

And the tool for package audit? Is relying on "apt upgrade" the
recommended policy?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- debsecan does not report a vulnerability?
  - From: Victor Sudakov <vas@sibptus.ru>
- Re: debsecan does not report a vulnerability?
  - From: Ihor Antonov <ngor@antonovs.family>
- Re: debsecan does not report a vulnerability?
  - From: Victor Sudakov <vas@sibptus.ru>
- Re: debsecan does not report a vulnerability?
  - From: Ihor Antonov <ihor@antonovs.family>

Prev by Date: motivation for switching to Debian? (was: Re: debsecan does not report a vulnerability?)
Next by Date: Re: debsecan does not report a vulnerability?
Previous by thread: motivation for switching to Debian? (was: Re: debsecan does not report a vulnerability?)
Next by thread: Re: Debian is testing Discourse
Index(es):
- Date
- Thread