To install security updates automatically I use unattended-upgrade:
$ sudo unattended-upgrade -d | tail -1
No packages found that can be upgraded unattended and no pending auto-removalsI also tried another tool called debsecan (homepage, currently on official repos) to list all packages with any vulnerability of CVE database. On a recently updated Ubuntu 18.04 LTS it returns 967 "remotely exploitable, high urgency" vulnerabilities on 220 packages (7 times more in total):
$ debsecan | grep "remotely exploitable, high urgency" | wc -l
967
$ debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l
220
$ debsecan | grep -o "CVE-20[0-2][0-9]" | sort | uniq -c 3 CVE-2007 2 CVE-2008 8 CVE-2009 3 CVE-2012 14 CVE-2013 9 CVE-2014 42 CVE-2015 173 CVE-2016 948 CVE-2017 3616 CVE-2018 4158 CVE-2019 3540 CVE-2020 1 CVE-2021- Am I missing something?
- There is any tool to check for vulnerabilities, maybe a debsecan for Ubuntu, like Red Hat's OpenSCAP (now available! See below). Any other beside OpenVAS or Nessus?
Updates
2019: Answer from someone on Ubuntu Security Team:
In Ubuntu, landscape is the preferred solution for checking security update status.
We would certainly like for someone to contribute the modifications required to get debsecan working. Here is the bug about debsecan.
Seems
debsecanread this file:curl -s | zlib-flate -uncompress | lessAFAIK (please correct me) since there is no API for Ubuntu Security Advisory (USN), the data from CVE-tracking page or USN (
or maybe easier from here, everything on bazaar.launchpad.net seems removed) should be merged [into a JSON and] there.2020-05: UST2DSA
We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.
It is open source under Apache 2.0 and it is available here:
Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.
If anybody want to test the result you just have to run this command in your current Ubuntu installation:debsecan --suite $(lsb_release --codename --short) --source2021-11: Ubuntu’s OVAL data using OpenSCAP
sudo apt install libopenscap8 # Install OpenSCAP base wget (lsb_release -cs).usn.oval.xml.bz2 bunzip2 com.ubuntu.$(lsb_release -cs).usn.oval.xml.bz2 oscap oval eval --report report.html com.ubuntu.$(lsb_release -cs).usn.oval.xml xdg-open report.html
1 Answer
Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.
The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:
$ debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...I'm on 16.04, and of these CVEs:
- CVE-2017-14632 is fix-released in 16.04
- CVE-2016-2776 is fix-released in 16.04
- CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
- CVE-2017-8421 needs triage
- and CVE-2018-8784 does not exist in 16.04.
So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.
2
