Re: Interpreting debsecan output

To: debian-user@lists.debian.org
Subject: Re: Interpreting debsecan output
From: Curt <curty@free.fr>
Date: Fri, 4 Nov 2022 14:52:29 -0000 (UTC)
Message-id: <[🔎] slrntma9pd.5s8.curty@einstein.electron.org>
References: <Y2Hxj61Fcu5BZ/uv@bitfolk.com>

On 2022-11-02, Andy Smith <andy@strugglers.net> wrote:
>
> So why is debsecan reporting this as a security issue?
>
> This is a very old host that has been continually upgraded since Debian

I don't really know, but maybe because 

 Much like the official Debian security advisories, debsecan's
 vulnerability tracking is mostly based on source packages. This can be
 confusing because tools like dpkg only display binary package names.
 Therefore, debsecan displays the more familiar binary package names.
 This has the unfortunate effect that all binary packages (including
 packages containing only documentation, for example) are flagged as
 vulnerable, and not only those packages which actually contain the
 vulnerable code.

I don't even understand that paragraph! Sorry for the interruption!

Reply to:

Follow-Ups:
- Re: Interpreting debsecan output
  - From: <tomas@tuxteam.de>

References:
- Interpreting debsecan output
  - From: Andy Smith <andy@strugglers.net>

Prev by Date: Re: Trying to start Xorg on a vanilla bullseye on rpi4
Next by Date: Choosing neovim over vim as default
Previous by thread: Interpreting debsecan output
Next by thread: Re: Interpreting debsecan output
Index(es):
- Date
- Thread