Interpreting debsecan output
Hello,
Today I was looking at "debsecan" for the first time. It has sent me a
very long daily report containing entries such as:
CVE-2021-3695 A crafted 16-bit grayscale PNG image may lead to a...
<https://security-tracker.debian.org/tracker/CVE-2021-3695>
- grub-common, grub-pc, grub-pc-bin, grub2-common
I'm having troulbe understanding why it is reporting things such as
the above. Looking at the link provided, I see:
Release Version Status
bullseye 2.06-3~deb11u1 fixed
I have newer versions installed:
$ dpkg-query -l grub-common grub-pc grub-pc-bin grub2-common
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==============-============-=====================================================
ii grub-common 2.06-3~deb11u2 i386 GRand Unified Bootloader (common files)
ii grub-pc 2.06-3~deb11u2 i386 GRand Unified Bootloader, version 2 (PC/BIOS version)
ii grub-pc-bin 2.06-3~deb11u2 i386 GRand Unified Bootloader, version 2 (PC/BIOS modules)
ii grub2-common 2.06-3~deb11u2 i386 GRand Unified Bootloader (common files for version 2)
So why is debsecan reporting this as a security issue?
This is a very old host that has been continually upgraded since Debian
etch. At first debsecan included lots of complaints about removed
packages from earlier releases that had been left around after doing
dist-upgrade (Desired/Status='rc' in dpkg terms). I went through and
purged all of those so I believe there's only bullseye packages
remaining now, and that did reduce debsecan's output a lot, but I'm
having trouble understanding why it still mentions things like the
above.
Any ideas?
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: