Inconsistency between unattended-upgrade and debsecan

Solution 1:

Tl;DR: debsecan needs to be fixed to use Ubuntu's security tracker for it to be of any use on Ubuntu.


The debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. Since patched versions of Ubuntu packages don't show up in Debian's tracker, we get results like this:

$  debsecan | grep "remotely exploitable, high urgency" | head
CVE-2017-14632 libvorbisfile3 (remotely exploitable, high urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2017-14930 binutils-dev (remotely exploitable, high urgency)
CVE-2017-8421 binutils-dev (remotely exploitable, high urgency)
CVE-2018-8784 libwinpr-interlocked0.1 (remotely exploitable, high urgency)
...

I'm on 16.04, and of these CVEs:

  • CVE-2017-14632 is fix-released in 16.04
  • CVE-2016-2776 is fix-released in 16.04
  • CVE-2017-14930 needs triage in 16.04, and newer releases are marked not affected.
  • CVE-2017-8421 needs triage
  • and CVE-2018-8784 does not exist in 16.04.

So, of the first five I looked at, three were fixed or didn't affect me, one had some action taken and only one hadn't seen any action. The next five, CVE-2018-8785 through 2018-8789, were all fix-released or not affecting 16.04.