man debsecan (Commandes) - Debian Security Analyzer

NAME

debsecan - Debian Security Analyzer

SYNOPSIS

debsecan options...

DESCRIPTION

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.

OPTIONS

--suite count
Choose a specific suite. debsecan produces more informative output (including obsolete packages) if the correct suite is specified. The release code name has to be used ("sid"), not the temporal name ("unstable").
--whitelist file
Change the name of the whitelist file.
--add-whitelist, --remove-whitelist
Add or remove entries from the whitelist. See the CHANGING THE WHITELIST section below.
--source url
Override the default download URL for vulnerability data.
--status file
Evaluate a different dpkg status file.
--format format
Change the output format. If format is summary (the default), a short summary for each vulnerability is printed. For bugs and packages, debsecan lists the names of vulnerabilities and binary packages, respectively. --format detail requests a verbose output format, showing all available data. The report format is used for email reports.
--line-length characters
Specifies the line length in report mode. The default is 72.
--mailto mailbox
The --mailto option instructions debsecan to the send the report to the email address mailbox. No report is sent if there where no changes since the last invocation with --update-history. This option requires the --format report output format.
--only-fixed
Only list vulnerabilities for which a fix is available in the archive. Note that it can happen that a fix is listed, although the package has not been built for the system's architecture and is not yet available for download. (If you use this option, you also must specify the correct suite using --suite.)
--no-obsolete
Do not list any obsolete packages (see below). Using this option is not recommended because it hides real vulnerabilities on some systems, not just false positives.
--history file
Change the name of the history file used by --format report.
--update-history
Update the vulnerability status information after reporting it using --format report.
--cron
Internal option used for invocations from cron. Checks if the vulnerability data has already been downloaded today. In this case, further processing is skipped. See debsecan-create-cron(8) for instructions how to create a suitable cron entry.
--help
Display a short help message and exit.
--version
Display version information and exit.

CHANGING THE WHITELIST

You can use the --add-whitelist and --remove-whitelist options to change the whitelist. Whitelisted vulnerabilities are not included in the reports. For example,

debsecan --add-whitelist CVE-2005-4601

ignores the vulnerability CVE-2005-4601 completely, while

debsecan --add-whitelist CVE-2005-4601 perlmagick

ignores it only as far as the perlmagick is concerned. To remove all whitelist entries for the CVE-2005-4601 vulnerability, use:

debsecan --remove-whitelist CVE-2005-4601

If you want to remove an entry for a specific vulnerability/package pair, list the package name explicitly, as in:

debsecan --remove-whitelist CVE-2005-4601 imagemagick

You can list multiple vulnerability and packages. For example,

debsecan --add-whitelist CVE-2005-4601 \
CVE-2006-0082 imagemagick perlmagick

whitelists CVE-2005-4601 for all packages, and CVE-2006-0082 for the imagemagick and perlmagick packages only.

CAVEATS

Much like the official Debian security advisories, debsecan's vulnerability tracking is mostly based on source packages. This can be confusing because tools like dpkg only display binary package names. Therefore, debsecan displays the more familiar binary package names. This has the unfortunate effect that all binary packages (including packages containing only documentation, for example) are flagged as vulnerable, and not only those packages which actually contain the vulnerable code.

If the correct --suite option is specified, debsecan may mark some packages as obsolete. This means that the binary package in question has been removed from the archive. In this case, you need to update all the packages depending on the obsolete package, and subsequently remove the obsolete pacakge.

For certain architectures, build daemons may lag considerably. In such case, debsecan may incorrectly mark a package as fixed, even if an update is not yet available in the Debian archive.

Note that debsecan version uses the --suite option only to determine the availability of corrected packages and to detect obsolete packages. If you specify the wrong suite, only the information on available security updates and obsolete packages is wrong, but the list of vulnerabilities is correct.

Mixing packages from different Debian releases is supported, as long as the packages still carry their official version numbers. Unknown package versions (from backported packages, for example) are compared to the version in Debian unstable only, which may lead to incorrect reports.

EXAMPLES

This command prints all package names for which security fixes are available:

debsecan --suite suite --format packages --only-fixed

If you pass this output to apt-get, you can download new packages which contain security fixes. For example, if you are running sid:

apt-get install \
$(debsecan --suite sid --format packages --only-fixed)

The following command can be invoked periodically, to get notifications of new security issues:

debsecan --suite suite --format report \
--update-history --mailto root

See debsecan-create-cron(8) for a tool which creates a suitable cron entry.

AUTHOR

debsecan was written by Florian Weimer.

SEE ALSO