* Tomasz Ciolek:
> This has been bugging me for a while. debsecan shows the following
> package as being vulnerable and having updates available to fix the
> issue:
>
> *** Available security updates
>
> CVE-2017-15908 In systemd 223 through 235, a remote DNS server can...
> <https://security-tracker.debian.org/tracker/CVE-2017-15908>
> - libudev1, libpam-systemd, libsystemd0, udev, systemd
> (remotely exploitable, medium urgency)
Verbose output shows:
CVE-2017-15908 (fixed, remotely exploitable, medium urgency)
In systemd 223 through 235, a remote DNS server can respond with a ...
installed: libudev1 232-25+deb9u3
(built from systemd 232-25+deb9u3)
fixed in unstable: systemd 235-3 (source package)
fixed on branch: systemd 0 (source package)
fixed on branch: systemd 215-17+deb8u6 (source package)
fixed on branch: systemd 215-17+deb8u7 (source package)
fixed on branch: systemd 232-25+deb9u2 (source package)
fixed on branch: systemd 44-11+deb7u4 (source package)
fixed on branch: systemd 44-11+deb7u5 (source package)
fix is available for the selected suite (stretch)
The problem is that 232-25+deb9u3 is only available in
stretch-proposed-updates, so it is not known to the security tracker,
and the version is not listed as fixed.
The challenge is to figure out on which branch a package was built.
It may not always be visible in the versio number.
/var/lib/dpkg/status does not record the source repository, either:
Package: libudev1
Status: install ok installed
Priority: important
Section: libs
Installed-Size: 223
Maintainer: Debian systemd Maintainers
<pkg-systemd-maintain...@lists.alioth.debian.org>
Architecture: amd64
Multi-Arch: same
Source: systemd
Version: 232-25+deb9u3
Depends: libc6 (>= 2.16)
Description: libudev shared library
This library provides access to udev device information.
Homepage: https://www.freedesktop.org/wiki/Software/systemd
I don't have a good idea how to fix this, except by adding more
repositories to the security tracker, so that it knows about more
fixed package versions.
