debsecan

The debsecan program evaluates the security status of a host running the Debian operation system. It reports missing security updates and known vulnerabilities in the programs which are installed on the host.

debsecan accesses the dpkg database and obtains a list of installed packages and their versions. This list is then evaluated against a feed of vulnerability information which ultimately comes from a database maintained by Debian's Testing Security Team . Various output formats are supported, including incremental reporting via email.

Beginning with version 0.2, debsecan includes a script called debsecan-create-cron , which allows you to create a cron job which periodically sends you mail (once per day) when the security status of the system changes.

In the following examples, we assume that the host under examination runs Debian sid, hence the --suite sid option is specified in all cases. Since version 0.3, the --suite is no longer mandatory, but additional information (regarding available updates and installed, but obsolete packages) is available if you specify the correct suite.

The first command gives a brief overview of all known vulnerabilities which potentially affect the system:

$ debsecan --suite sid CVE-2005-1119 sudo (low urgency) CVE-2005-4158 sudo (medium urgency) FAKE-0340105 vpnc (medium urgency) CVE-2005-2351 mutt (low urgency) FAKE-0329814 apt (low urgency) […]

We can get more detail if we choose a different output format:

$ debsecan --suite sid --format detail CVE-2005-1119 (low urgency) Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary ... installed: sudo 1.6.8p9-4 (built from sudo 1.6.8p9-4) fixed package: not yet available CVE-2005-4158 (medium urgency) Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear ... installed: sudo 1.6.8p9-4 (built from sudo 1.6.8p9-4) fixed package: not yet available […]

Using --only-fixed , the output can be restricted to missing security updates:

$ debsecan --suite sid --only-fixed CVE-2005-3191 tetex-bin (fixed, medium urgency) CVE-2005-3192 tetex-bin (fixed, remotely exploitable, medium urgency) CVE-2005-3193 tetex-bin (fixed, medium urgency)

The packages output format is suitable for input to apt-get :

# debsecan --suite sid --only-fixed --format packages tetex-bin # apt-get install $(debsecan --suite sid --only-fixed --format packages) Reading package lists... Done Building dependency tree... Done Suggested packages: dvipng chktex lacheck rubber sam2p The following packages will be upgraded: tetex-bin 1 upgraded, 0 newly installed, 0 to remove and 401 not upgraded. Need to get 3845kB of archives. After unpacking 4096B of additional disk space will be used. […]

In addition to these interactive use cases, it is also possible to invoke debsecan periodically to check the system status and alert the system administrators of any changes. The next command only sends mail if a change is detected.

# debsecan --suite sid --format report --mailto root --update-history

After installing tetex-bin , the email report might look like this:

From: root Subject: Debian security status of deneb.enyo.de To: root Date: Thu, 15 Dec 2005 18:17:02 +0100 Security report based on the sid release *** Fixed vulnerabilities CVE-2005-3192 - tetex-bin CVE-2005-3193 - tetex-bin CVE-2005-3191 - tetex-bin *** Vulnerabilities without updates CVE-2004-1617 Lynx allows remote attackers to cause a denial of service… - lynx (remotely exploitable, low urgency) […]

debsecan is an official Debian package. The current development version is distributed as a GIT repository. If you want to create a local mirror of the repository, use the following command:

$ git clone https://git.enyo.de/fw/debian/debsecan.git

The debsecan program itself is a freestanding Python script. If you do not want to install darcs , you can download just the script:

Revisions

2005-12-15: published

2005-12-16: Corrected second example.

2005-12-19: Version 0.2 was published, which includes a script to generate cron entries.

2005-12-28: The program is now available from the Debian archive, and pinning is supported.

2007-04-09: Switched to GIT as the version control system.

Florian Weimer

Home Blog (DE) Blog (EN) RSS Feeds Impressum