Hi, I'd like to use the debsecan tool to keep me updated about open security issues and available fixes. I tried it and it works almost as expected i.e. almost the same as on a vanilla debian system. But there seems to be one problem. When a package has a RPi specific version, as indicated by the +rpt1+ substring in the version suffix, debsecan seems to warn about vulnerabilities in the package even if they have been fixed in the underlying pure debian version -- the one with +rpt1+ removed.
As an example, consider the package libbluetooth3 as it exists now in the bookworm release, which is version 5.66-1+rpt1+deb12u2. When I run debsecan --suite bookworm it includes vulnerability CVE-2023-27349 in its report. But then, looking this up on security-tracker.debian.org, I learn that this is fixed in the debian version 5.66-1+deb12u2 -- and so, I presume it is already fixed in the corresponding RPi version as well.
Am I making sense so far? If my understanding above is correct, this would make debsecan not very useful for me after all Image may be NSFW.
Clik here to view.
because I would have to look at each package changelog after upgrades to track the issues, which is already what I do now ...
So my questions are:
As an example, consider the package libbluetooth3 as it exists now in the bookworm release, which is version 5.66-1+rpt1+deb12u2. When I run debsecan --suite bookworm it includes vulnerability CVE-2023-27349 in its report. But then, looking this up on security-tracker.debian.org, I learn that this is fixed in the debian version 5.66-1+deb12u2 -- and so, I presume it is already fixed in the corresponding RPi version as well.
Am I making sense so far? If my understanding above is correct, this would make debsecan not very useful for me after all Image may be NSFW.
Clik here to view.
because I would have to look at each package changelog after upgrades to track the issues, which is already what I do now ...So my questions are:
- * do I have the facts correct above?
* is this basically a bug in debsecan that ought to be fixed?
* is there an automated workaround now?
Statistics: Posted by nobrowser — Sun Nov 10, 2024 4:12 am — Replies 1 — Views 34
