On Monday, 11 May 2020 00:14:02 PDT Victor Sudakov wrote: > Ihor Antonov wrote: > > On Sunday, 10 May 2020 08:18:29 PDT Victor Sudakov wrote: > > > Have I asked in the wrong list? Which list would be more appropriate? > > > > Hi Victor, > > > > I think this is the right list. But it seems that the message got lost > > somehow in the high volume. I have not used debescan personally, so I am > > replying simply > > to keep this thread alive hoping to get it more visibility > > Hi Ihor! > > What do you use to track vulnerabilites in your Debian hosts? What's the > general approach? Do we just rely upon unattended-upgrade to fetch and > install patched packages for us?
Running unattended upgrades is generally a recommended way to keep the system
up-to-date. It minimizes the time from update being published to installed.
I got interested and installed debsecan on my laptop. Here is what man says:
Much like the official Debian security advisories, debsecan's
vulnerability tracking is mostly based on source packages.
So it seems that it only knows about issues that were reported to source
packages. The next logical step would be to grep bugtracker to see if this CVE
was even reported to that package.
> I come from the FreeBSD world where there are two distinct mechanisms to
> fix vulnerabilites: one for the base system (FreeBSD Security Advisories
> and freebsd-update to install binary updates to the base system) and
> another for third-party software from the ports collection ("pkg audit
> -F" instead of security advisories, "pkg upgrade" to install up-to-date
> patched versions of packages).
>
> What do we have here, or where can I read more about it?
There are also Debian security advisories:
https://www.debian.org/security/ and debian-security-announce mailing list
Separately - I also happened to run a couple of FreeBSD boxes, could you share
your motivation for switching to Debian?
Thanks
--
Ihor Antonov
signature.asc
Description: This is a digitally signed message part.
