On Mon 11 May 2020 at 19:53:46 (-0700), Ihor Antonov wrote:
> On Monday, 11 May 2020 00:14:02 PDT Victor Sudakov wrote:
> >
> > What do you use to track vulnerabilites in your Debian hosts? What's the
> > general approach? Do we just rely upon unattended-upgrade to fetch and
> > install patched packages for us?
>
> Running unattended upgrades is generally a recommended way to keep the system
> up-to-date. It minimizes the time from update being published to installed.
>
> I got interested and installed debsecan on my laptop. Here is what man says:
>
> Much like the official Debian security advisories, debsecan's
> vulnerability tracking is mostly based on source packages.
>
> So it seems that it only knows about issues that were reported to source
> packages. The next logical step would be to grep bugtracker to see if this
> CVE
> was even reported to that package.
Or you could check /usr/share/doc/openssl/changelog.Debian.gz
though it only shows up in version 1.1.1d-0+deb10u3 of course.
$ zcat /usr/share/doc/openssl/changelog.Debian.gz | head
openssl (1.1.1d-0+deb10u3) buster-security; urgency=medium
* CVE-2020-1967 (Segmentation fault in SSL_check_chain).
-- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Mon, 20 Apr 2020
22:23:01 +0200
openssl (1.1.1d-0+deb10u2) buster-security; urgency=medium
* Reenable AES-CBC-HMAC-SHA ciphers (Closes: #941987).
$
(I'm not sure why the OP is still running the previous version.)
> > I come from the FreeBSD world where there are two distinct mechanisms to
> > fix vulnerabilites: one for the base system (FreeBSD Security Advisories
> > and freebsd-update to install binary updates to the base system) and
> > another for third-party software from the ports collection ("pkg audit
> > -F" instead of security advisories, "pkg upgrade" to install up-to-date
> > patched versions of packages).
> >
> > What do we have here, or where can I read more about it?
> There are also Debian security advisories:
> https://www.debian.org/security/ and debian-security-announce mailing list
>
> Separately - I also happened to run a couple of FreeBSD boxes, could you
> share
> your motivation for switching to Debian?
Cheers,
David.
