Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

debsecan

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
ruffwoof
Posts: 298
Joined: 2016-08-20 21:00

debsecan

#1 Post by ruffwoof »

I installed debsecan and then ran

debsecan --suite jessie

and back came nearly 2000

Filtering that down to high urgency and remotely exploitable still saw nearly 200

debsecan --suite=jessie | grep "high urgency" | grep "remotely exploitable" | sort | uniq | wc -l

Filtering that list down to remove duplicate CVE numbers left 71

As a relative neub I find that worrying. Should I be?

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: debsecan

#2 Post by dasein »

Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?

I trust my point is obvious, even to you.

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: debsecan

#3 Post by kopper »

Vulnerability is well.. a vulnerability. I don't know about debsescan's accuracy or how it works precisely, but if I understood correctly the basic idea is to compare installed software version on Debian Security Team bulletin information. If you have up-to-date system, your results seem rather interesting. Thing to remember is, that debsescan is a local scanner, which doesn't tell how exposed found vulnerabilities are from the outside of your system. To find out your exposure, you should run something from the network side, e.g. nmap or nessus scan.

So with up-to-date system I wouldn't panic. Just keep installing patches as they get published and see that your firewall rules expose only needed services (sometimes there is none, so reject anything except ESTABLISHED or RELATED). It's of course a good habit to get rid of everything you don't need and keep your installed packages and services at minimum the minimize the attack surface.
dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
I trust my point is obvious, even to you.
I don't think a person with your kind of expertise and experience needs to be this petty.
Last edited by kopper on 2017-08-25 09:35, edited 1 time in total.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

Wheelerof4te
Posts: 1454
Joined: 2015-08-30 20:14

Re: debsecan

#4 Post by Wheelerof4te »

ruffwoof wrote:As a relative neub I find that worrying. Should I be?
Nah, it's all good. You don't have to worry much, unless you are running a high risk server. 71 CVE is not that much.
dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
dasein, well where have you been all this time? Have you settled for a Wheezy replacement? What's it gonna be? :D

Post Reply