Page 1 of 1

debsecan

PostPosted: 2017-08-25 02:26
by ruffwoof
I installed debsecan and then ran

debsecan --suite jessie

and back came nearly 2000

Filtering that down to high urgency and remotely exploitable still saw nearly 200

debsecan --suite=jessie | grep "high urgency" | grep "remotely exploitable" | sort | uniq | wc -l

Filtering that list down to remove duplicate CVE numbers left 71

As a relative neub I find that worrying. Should I be?

Re: debsecan

PostPosted: 2017-08-25 03:36
by dasein
Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?

I trust my point is obvious, even to you.

Re: debsecan

PostPosted: 2017-08-25 05:27
by kopper
Vulnerability is well.. a vulnerability. I don't know about debsescan's accuracy or how it works precisely, but if I understood correctly the basic idea is to compare installed software version on Debian Security Team bulletin information. If you have up-to-date system, your results seem rather interesting. Thing to remember is, that debsescan is a local scanner, which doesn't tell how exposed found vulnerabilities are from the outside of your system. To find out your exposure, you should run something from the network side, e.g. nmap or nessus scan.

So with up-to-date system I wouldn't panic. Just keep installing patches as they get published and see that your firewall rules expose only needed services (sometimes there is none, so reject anything except ESTABLISHED or RELATED). It's of course a good habit to get rid of everything you don't need and keep your installed packages and services at minimum the minimize the attack surface.

dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?
I trust my point is obvious, even to you.

I don't think a person with your kind of expertise and experience needs to be this petty.

Re: debsecan

PostPosted: 2017-08-25 06:20
by Wheelerof4te
ruffwoof wrote:As a relative neub I find that worrying. Should I be?


Nah, it's all good. You don't have to worry much, unless you are running a high risk server. 71 CVE is not that much.

dasein wrote:Do you want a technically accurate answer? Or are you willing to settle for an answer someone just pulled out of their ass?


dasein, well where have you been all this time? Have you settled for a Wheezy replacement? What's it gonna be? :D