Ask Ubuntu Asked on December 17, 2021
To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removals
I also tried another tool called debsecan (homepage, currently on official repos) to list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it returns 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "CVE-20[0-2][0-9]" | sort | uniq -c
3 CVE-2007
2 CVE-2008
8 CVE-2009
3 CVE-2012
14 CVE-2013
9 CVE-2014
42 CVE-2015
173 CVE-2016
948 CVE-2017
3616 CVE-2018
4158 CVE-2019
3540 CVE-2020
1 CVE-2021
2019: Answer from someone on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
Seems debsecan read this file:
curl -s https://security-tracker.debian.org/tracker/debsecan/release/1/GENERIC | zlib-flate -uncompress | less
AFAIK (please correct me) since there is no API for Ubuntu Security Advisory (USN), the data from CVE-tracking page or USN (or maybe easier from here, everything on bazaar.launchpad.net seems removed) should be merged [into a JSON and] there.
2020-05: UST2DSA
We’ve just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.
It is open source under Apache 2.0 and it is available here: https://github.com/BBVA/ust2dsa
Using Github’s CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.
If anybody want to test the result you just have to run this command in your current Ubuntu installation:
debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/
2021-11: Ubuntu’s OVAL data using OpenSCAP
sudo apt install libopenscap8 # Install OpenSCAP base
wget https://security-metadata.canonical.com/oval/com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2
oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml
xdg-open report.html
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...
I'm on 16.04, and of these CVEs:
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
Answered by Olorin on December 17, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP