Page 1 of 1
debsecan
Posted: 2017-08-25 02:26
by ruffwoof
I installed debsecan and then ran
debsecan --suite jessie
and back came nearly 2000
Filtering that down to high urgency and remotely exploitable still saw nearly 200
debsecan --suite=jessie | grep "high urgency" | grep "remotely exploitable" | sort | uniq | wc -l
Filtering that list down to remove duplicate CVE numbers left 71
As a relative neub I find that worrying. Should I be?
Re: debsecan
Posted: 2017-08-25 03:36
by dasein
Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
I trust my point is obvious, even to you.
Re: debsecan
Posted: 2017-08-25 05:27
by kopper
Vulnerability is well.. a vulnerability. I don't know about debsescan's accuracy or how it works precisely, but if I understood correctly the basic idea is to compare installed software version on Debian Security Team bulletin information. If you have up-to-date system, your results seem rather interesting. Thing to remember is, that debsescan is a local scanner, which doesn't tell how exposed found vulnerabilities are from the outside of your system. To find out your exposure, you should run something from the network side, e.g. nmap or nessus scan.
So with up-to-date system I wouldn't panic. Just keep installing patches as they get published and see that your firewall rules expose only needed services (sometimes there is none, so reject anything except ESTABLISHED or RELATED). It's of course a good habit to get rid of everything you don't need and keep your installed packages and services at minimum the minimize the attack surface.
dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
I trust my point is obvious, even to you.
I don't think a person with your kind of expertise and experience needs to be this petty.
Re: debsecan
Posted: 2017-08-25 06:20
by Wheelerof4te
ruffwoof wrote:As a relative neub I find that worrying. Should I be?
Nah, it's all good. You don't have to worry much, unless you are running a high risk server. 71 CVE is not that much.
dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
dasein, well where have you been all this time? Have you settled for a Wheezy replacement? What's it gonna be?