DEBSECAN(1)DEBSECAN(1)
NAME
debsecan - Debian Security Analyzer
SYNOPSIS
debsecan options...
DESCRIPTION
debsecan analyzes the list of installed packages on the current host
and reports vulnerabilities found on the system.
OPTIONS
--suite count
Choose a specific suite. debsecan produces more informative
output (including obsolete packages) if the correct suite is
specified. The release code name has to be used ("sid"), not
the temporal name ("unstable").
--whitelist file
Change the name of the whitelist file.
--add-whitelist, --remove-whitelist, --show-whitelist
Add or remove entries from the whitelist, or print the whitelist
to standard output. See the CHANGING THE WHITELIST section be-
low.
--source url
Override the default download URL for vulnerability data.
--status file
Evaluate a different dpkg status file.
--format format
Change the output format. If format is summary (the default), a
short summary for each vulnerability is printed. The simple
format is like the summary format, except that only the bug
packages names are printed. For bugs and packages, debsecan
lists the names of vulnerabilities and binary packages, respec-
tively. --format detail requests a verbose output format, show-
ing all available data. The report format is used for email re-
ports.
--line-length characters
Specifies the line length in report mode. The default is 72.
--mailto mailbox
The --mailto option instructions debsecan to the send the report
to the email address mailbox. No report is sent if there where
no changes since the last invocation with --update-history.
This option requires the --format report output format. The op-
tion value may contain macros, see the section CONFIGURATION
FILE MACROS below.
--only-fixed
Only list vulnerabilities for which a fix is available in the
archive. Note that it can happen that a fix is listed, although
the package has not been built for the system's architecture and
is not yet available for download. (If you use this option, you
also must specify the correct suite using --suite.)
--no-obsolete
Do not list any obsolete packages (see below). Using this op-
tion is not recommended because it hides real vulnerabilities on
some systems, not just false positives.
--history file
Change the name of the history file used by --format report.
--disable-https-check
Turn off certificate validation for HTTPS.
--update-history
Update the vulnerability status information after reporting it
using --format report.
--cron Internal option used for invocations from cron. Checks if the
vulnerability data has already been downloaded today. In this
case, further processing is skipped. See debsecan-create-
cron(8) for instructions how to create a suitable cron entry.
--config file
Sets the location of the configuration file.
--help Display a short help message and exit.
--version
Display version information and exit.
CONFIGURATION FILE
The configuration file contains the following variables. It follows
name=value shell syntax. If value contains white space, it must be
surrounded by double quotes. Some variables may contain macros; see
the section CONFIGURATION FILE MACROS below.
MAILTO Sets the email address to which reports are sent in --cron mode.
May contain macros.
REPORT Controls whether debsecan does any processing whatsoever in
--cron mode. (Permitted values: true and false.)
SOURCE Controls the URL from which vulnerability information is
fetched. If empty, the built-in default is used.
SUITE Sets the default value of the --suite option (see there).
SUBJECT
Changes the subject line of reports. May contain macros.
DISABLE_HTTPS_CHECK
Disables HTTPS certificate checking, just like the --disable-
https-check command line option.
CONFIGURATION FILE MACROS
Macro processing replaces strings of the form %s(key)s with system-de-
pendent values. Support keys are:
hostname
The host name on which debsecan runs, without the domain name
part.
fqdn The fully-qualified domain name of the host on which debsecan
runs.
ip The IP address of the host on which debsecan runs. This may be
inaccurate on multi-homed systems.
CHANGING THE WHITELIST
You can use the --add-whitelist and --remove-whitelist options to
change the whitelist. Whitelisted vulnerabilities are not included in
the reports. For example,
debsecan --add-whitelist CVE-2005-4601
ignores the vulnerability CVE-2005-4601 completely, while
debsecan --add-whitelist CVE-2005-4601 perlmagick
ignores it only as far as the perlmagick is concerned. (This is the
same format that is produced by the --format simple option.) To remove
all whitelist entries for the CVE-2005-4601 vulnerability, use:
debsecan --remove-whitelist CVE-2005-4601
If you want to remove an entry for a specific vulnerability/package
pair, list the package name explicitly, as in:
debsecan --remove-whitelist CVE-2005-4601 imagemagick
You can list multiple vulnerability and packages. For example,
debsecan --add-whitelist CVE-2005-4601 \
CVE-2006-0082 imagemagick perlmagick
whitelists CVE-2005-4601 for all packages, and CVE-2006-0082 for the
imagemagick and perlmagick packages only.
CAVEATS
Much like the official Debian security advisories, debsecan's vulnera-
bility tracking is mostly based on source packages. This can be con-
fusing because tools like dpkg only display binary package names.
Therefore, debsecan displays the more familiar binary package names.
This has the unfortunate effect that all binary packages (including
packages containing only documentation, for example) are flagged as
vulnerable, and not only those packages which actually contain the vul-
nerable code.
If the correct --suite option is specified, debsecan may mark some
packages as obsolete. This means that the binary package in question
has been removed from the archive. In this case, you need to update
all the packages depending on the obsolete package, and subsequently
remove the obsolete package.
For certain architectures, build daemons may lag considerably. In such
case, debsecan may incorrectly mark a package as fixed, even if an up-
date is not yet available in the Debian archive.
Note that debsecan version uses the --suite option only to determine
the availability of corrected packages and to detect obsolete packages.
If you specify the wrong suite, only the information on available secu-
rity updates and obsolete packages is wrong, but the list of vulnera-
bilities is correct.
Mixing packages from different Debian releases is supported, as long as
the packages still carry their official version numbers. Unknown pack-
age versions (from backported packages, for example) are compared to
the version in Debian unstable only, which may lead to incorrect re-
ports.
EXAMPLES
This command prints all package names for which security fixes are
available:
debsecan --suite suite --format packages --only-fixed
If you pass this output to apt-get, you can download new packages which
contain security fixes. For example, if you are running sid:
apt-get install \
$(debsecan --suite sid --format packages --only-fixed)
The following command can be invoked periodically, to get notifications
of new security issues:
debsecan --suite suite --format report \
--update-history --mailto root
See debsecan-create-cron(8) for a tool which creates a suitable cron
entry.
ENVIRONMENT
https_proxy
This environment variable instructs debsecan to use a proxy
server to fetch the vulnerability data. It must be of the form
http://proxy.example.net:8080/ (mimicking a URL).
FILES
/etc/default/debsecan
Built-in location of the configuration file.
/var/lib/dpkg/status
File from which the package information is fetched by default.
AUTHOR
debsecan was written by Florian Weimer.
SEE ALSO
dpkg(1), debsecan-create-cron(8), apt-get(8)
2005-12-23 DEBSECAN(1)