Inconsistency between unattended-upgrade and debsecan












1















To install security updates automatically I use unattended-upgrade:



$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals


I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):



$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019



  1. Am I missing something?

  2. There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?


Updates




  • Answer from somoene on Ubuntu Security Team:


    In Ubuntu, landscape is the preferred solution for checking security update status.



    We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.



    debsecan should be either adjusted (for ubuntu) or removed





  • Seems debsecan read this file:



    curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less


    AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.












share|improve this question

























  • What is the output of cat /etc/*-release? You maybe on an usupported version?

    – DK Bose
    Jan 28 at 4:12
















1















To install security updates automatically I use unattended-upgrade:



$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals


I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):



$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019



  1. Am I missing something?

  2. There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?


Updates




  • Answer from somoene on Ubuntu Security Team:


    In Ubuntu, landscape is the preferred solution for checking security update status.



    We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.



    debsecan should be either adjusted (for ubuntu) or removed





  • Seems debsecan read this file:



    curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less


    AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.












share|improve this question

























  • What is the output of cat /etc/*-release? You maybe on an usupported version?

    – DK Bose
    Jan 28 at 4:12














1












1








1








To install security updates automatically I use unattended-upgrade:



$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals


I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):



$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019



  1. Am I missing something?

  2. There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?


Updates




  • Answer from somoene on Ubuntu Security Team:


    In Ubuntu, landscape is the preferred solution for checking security update status.



    We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.



    debsecan should be either adjusted (for ubuntu) or removed





  • Seems debsecan read this file:



    curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less


    AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.












share|improve this question
















To install security updates automatically I use unattended-upgrade:



$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals


I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):



$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019



  1. Am I missing something?

  2. There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?


Updates




  • Answer from somoene on Ubuntu Security Team:


    In Ubuntu, landscape is the preferred solution for checking security update status.



    We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.



    debsecan should be either adjusted (for ubuntu) or removed





  • Seems debsecan read this file:



    curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less


    AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.









security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 28 at 17:46







Pablo Bianchi

















asked Jan 28 at 4:04









Pablo BianchiPablo Bianchi

2,86521534




2,86521534













  • What is the output of cat /etc/*-release? You maybe on an usupported version?

    – DK Bose
    Jan 28 at 4:12



















  • What is the output of cat /etc/*-release? You maybe on an usupported version?

    – DK Bose
    Jan 28 at 4:12

















What is the output of cat /etc/*-release? You maybe on an usupported version?

– DK Bose
Jan 28 at 4:12





What is the output of cat /etc/*-release? You maybe on an usupported version?

– DK Bose
Jan 28 at 4:12










1 Answer
1






active

oldest

votes


















2














Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.





The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:



$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...


I'm on 16.04, and of these CVEs:





  • CVE-2017-14632 is fix-released in 16.04


  • CVE-2016-2776 is fix-released in 16.04


  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.


  • CVE-2017-8421 needs triage

  • and CVE-2018-8784 does not exist in 16.04.


So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.






share|improve this answer


























  • Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

    – Pablo Bianchi
    Jan 28 at 4:35






  • 1





    @PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

    – Olorin
    Jan 28 at 4:48











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113429%2finconsistency-between-unattended-upgrade-and-debsecan%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.





The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:



$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...


I'm on 16.04, and of these CVEs:





  • CVE-2017-14632 is fix-released in 16.04


  • CVE-2016-2776 is fix-released in 16.04


  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.


  • CVE-2017-8421 needs triage

  • and CVE-2018-8784 does not exist in 16.04.


So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.






share|improve this answer


























  • Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

    – Pablo Bianchi
    Jan 28 at 4:35






  • 1





    @PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

    – Olorin
    Jan 28 at 4:48
















2














Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.





The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:



$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...


I'm on 16.04, and of these CVEs:





  • CVE-2017-14632 is fix-released in 16.04


  • CVE-2016-2776 is fix-released in 16.04


  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.


  • CVE-2017-8421 needs triage

  • and CVE-2018-8784 does not exist in 16.04.


So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.






share|improve this answer


























  • Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

    – Pablo Bianchi
    Jan 28 at 4:35






  • 1





    @PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

    – Olorin
    Jan 28 at 4:48














2












2








2







Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.





The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:



$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...


I'm on 16.04, and of these CVEs:





  • CVE-2017-14632 is fix-released in 16.04


  • CVE-2016-2776 is fix-released in 16.04


  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.


  • CVE-2017-8421 needs triage

  • and CVE-2018-8784 does not exist in 16.04.


So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.






share|improve this answer















Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.





The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:



$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...


I'm on 16.04, and of these CVEs:





  • CVE-2017-14632 is fix-released in 16.04


  • CVE-2016-2776 is fix-released in 16.04


  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.


  • CVE-2017-8421 needs triage

  • and CVE-2018-8784 does not exist in 16.04.


So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 28 at 4:32









Pablo Bianchi

2,86521534




2,86521534










answered Jan 28 at 4:22









OlorinOlorin

2,621924




2,621924













  • Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

    – Pablo Bianchi
    Jan 28 at 4:35






  • 1





    @PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

    – Olorin
    Jan 28 at 4:48



















  • Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

    – Pablo Bianchi
    Jan 28 at 4:35






  • 1





    @PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

    – Olorin
    Jan 28 at 4:48

















Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

– Pablo Bianchi
Jan 28 at 4:35





Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.

– Pablo Bianchi
Jan 28 at 4:35




1




1





@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

– Olorin
Jan 28 at 4:48





@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.

– Olorin
Jan 28 at 4:48


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113429%2finconsistency-between-unattended-upgrade-and-debsecan%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Human spaceflight

Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

張江高科駅