Inconsistency between unattended-upgrade and debsecan
To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals
I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019
- Am I missing something?
- There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?
Updates
- Answer from somoene on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
debsecan should be either adjusted (for ubuntu) or removed
Seems
debsecanread this file:
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.
security
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
add a comment |
To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals
I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019
- Am I missing something?
- There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?
Updates
- Answer from somoene on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
debsecan should be either adjusted (for ubuntu) or removed
Seems
debsecanread this file:
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.
security
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
What is the output ofcat /etc/*-release? You maybe on an usupported version?
– DK Bose
Jan 28 at 4:12
add a comment |
To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals
I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019
- Am I missing something?
- There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?
Updates
- Answer from somoene on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
debsecan should be either adjusted (for ubuntu) or removed
Seems
debsecanread this file:
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.
security
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals
I also tried another tool called debsecan (homepage, currently on official repos) too list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it return 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "201[0-9]" | sort | uniq -c
10 2012
22 2013
7 2014
55 2015
330 2016
1379 2017
4596 2018
244 2019
- Am I missing something?
- There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP. Any other beside OpenVAS or Nessus?
Updates
- Answer from somoene on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
debsecan should be either adjusted (for ubuntu) or removed
Seems
debsecanread this file:
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
AFAIK (please correct me) since there is no API the data from CVE-tracking page or USN (or maybe easier from here) should be merged [into a JSON and] there.
security
security
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
edited Jan 28 at 17:46
Pablo Bianchi
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
asked Jan 28 at 4:04
Pablo BianchiPablo Bianchi
2,86521534
2,86521534
What is the output ofcat /etc/*-release? You maybe on an usupported version?
– DK Bose
Jan 28 at 4:12
add a comment |
What is the output ofcat /etc/*-release? You maybe on an usupported version?
– DK Bose
Jan 28 at 4:12
What is the output of
cat /etc/*-release? You maybe on an usupported version?– DK Bose
Jan 28 at 4:12
What is the output of
cat /etc/*-release? You maybe on an usupported version?– DK Bose
Jan 28 at 4:12
add a comment |
1 Answer
1
active
oldest
votes
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113429%2finconsistency-between-unattended-upgrade-and-debsecan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
add a comment |
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
add a comment |
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
CVE-2017-14632 is fix-released in 16.04
CVE-2016-2776 is fix-released in 16.04
CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
CVE-2017-8421 needs triage- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
edited Jan 28 at 4:32
Pablo Bianchi
2,86521534
2,86521534
answered Jan 28 at 4:22
OlorinOlorin
2,621924
answered Jan 28 at 4:22
OlorinOlorin
2,621924
answered Jan 28 at 4:22
OlorinOlorin
2,621924
2,621924
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
add a comment |
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
Thank you! So you think there is nothing I should worry about? So does make sens to have debsecan there on Ubuntu repos? There is any debsecan for Ubuntu? Or just alternative ways to make basic security checks.
– Pablo Bianchi
Jan 28 at 4:35
1
1
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
@PabloBianchi I think if the Ubuntu Security Team would offer debsecan data on their site, the tool could work. I checked the file it accesses and it's a fairly simple CSV file (zlib compressed). security.stackexchange.com/q/187909 says there's no built-in way to get easily parsed data from Ubuntu, so maybe such a tool doesn't exist for Ubuntu now.
– Olorin
Jan 28 at 4:48
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113429%2finconsistency-between-unattended-upgrade-and-debsecan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What is the output of
cat /etc/*-release? You maybe on an usupported version?– DK Bose
Jan 28 at 4:12