Man Linux: Main Page and Category List


       debsecan - Debian Security Analyzer


       debsecan options...


       debsecan  analyzes  the  list of installed packages on the current host
       and reports vulnerabilities found on the system.


       --suite count
              Choose a specific suite.   debsecan  produces  more  informative
              output  (including  obsolete  packages)  if the correct suite is
              specified.  The release code name has to be  used  ("sid"),  not
              the temporal name ("unstable").

       --whitelist file
              Change the name of the whitelist file.

       --add-whitelist, --remove-whitelist, --show-whitelist
              Add or remove entries from the whitelist, or print the whitelist
              to standard output.  See  the  CHANGING  THE  WHITELIST  section

       --source url
              Override the default download URL for vulnerability data.

       --status file
              Evaluate a different dpkg status file.

       --format format
              Change the output format.  If format is summary (the default), a
              short summary for each vulnerability  is  printed.   The  simple
              format  is  like  the  summary  format, except that only the bug
              packages names are printed.  For  bugs  and  packages,  debsecan
              lists   the   names  of  vulnerabilities  and  binary  packages,
              respectively.  --format detail requests a verbose output format,
              showing all available data.  The report format is used for email

       --line-length characters
              Specifies the line length in report mode.  The default is 72.

       --mailto mailbox
              The --mailto option instructions debsecan to the send the report
              to  the email address mailbox.  No report is sent if there where
              no changes since  the  last  invocation  with  --update-history.
              This  option  requires  the  --format report output format.  The
              option value may contain macros, see the  section  CONFIGURATION
              FILE MACROS below.

              Only  list  vulnerabilities  for which a fix is available in the
              archive.  Note that it can happen that a fix is listed, although
              the package has not been built for the system’s architecture and
              is not yet available for download.  (If you use this option, you
              also must specify the correct suite using --suite.)

              Do  not  list  any  obsolete  packages  (see below).  Using this
              option is not recommended because it hides real  vulnerabilities
              on some systems, not just false positives.

       --history file
              Change the name of the history file used by --format report.

              Update  the  vulnerability status information after reporting it
              using --format report.

       --cron Internal option used for invocations from cron.  Checks  if  the
              vulnerability  data  has already been downloaded today.  In this
              case,  further  processing  is  skipped.   See  debsecan-create-
              cron(8) for instructions how to create a suitable cron entry.

       --config file
              Sets the location of the configuration file.

       --help Display a short help message and exit.

              Display version information and exit.


       The  configuration  file  contains the following variables.  It follows
       name=value shell syntax.  If value contains white  space,  it  must  be
       surrounded  by  double  quotes.  Some variables may contain macros; see
       the section CONFIGURATION FILE MACROS below.

       MAILTO Sets the email address to which reports are sent in --cron mode.
              May contain macros.

       REPORT Controls  whether  debsecan  does  any  processing whatsoever in
              --cron mode.  (Permitted values: true and false.)

       SOURCE Controls  the  URL  from  which  vulnerability  information   is
              fetched.  If empty, the built-in default is used.

       SUITE  Sets the default value of the --suite option (see there).

              Changes the subject line of reports.  May contain macros.


       Macro  processing  replaces  strings  of the form %s(key)s with system-
       dependent values.  Support keys are:

              The host name on which debsecan runs, without  the  domain  name

       fqdn   The  fully-qualified  domain  name of the host on which debsecan

       ip     The IP address of the host on which debsecan runs.  This may  be
              inaccurate on multi-homed systems.


       You  can  use  the  --add-whitelist  and  --remove-whitelist options to
       change the whitelist.  Whitelisted vulnerabilities are not included  in
       the reports.  For example,

              debsecan --add-whitelist CVE-2005-4601

       ignores the vulnerability CVE-2005-4601 completely, while

              debsecan --add-whitelist CVE-2005-4601 perlmagick

       ignores  it  only  as far as the perlmagick is concerned.  (This is the
       same format that is produced by the --format simple option.)  To remove
       all whitelist entries for the CVE-2005-4601 vulnerability, use:

              debsecan --remove-whitelist CVE-2005-4601

       If  you  want  to  remove an entry for a specific vulnerability/package
       pair, list the package name explicitly, as in:

              debsecan --remove-whitelist CVE-2005-4601 imagemagick

       You can list multiple vulnerability and packages.  For example,

              debsecan --add-whitelist CVE-2005-4601 \
                 CVE-2006-0082 imagemagick perlmagick

       whitelists CVE-2005-4601 for all packages, and  CVE-2006-0082  for  the
       imagemagick and perlmagick packages only.


       Much   like   the   official  Debian  security  advisories,  debsecan’s
       vulnerability tracking is mostly based on source packages.  This can be
       confusing  because  tools  like dpkg only display binary package names.
       Therefore, debsecan displays the more familiar  binary  package  names.
       This  has  the  unfortunate  effect that all binary packages (including
       packages containing only documentation, for  example)  are  flagged  as
       vulnerable,  and  not  only  those  packages which actually contain the
       vulnerable code.

       If the correct --suite option is  specified,  debsecan  may  mark  some
       packages  as  obsolete.  This means that the binary package in question
       has been removed from the archive.  In this case, you  need  to  update
       all  the  packages  depending on the obsolete package, and subsequently
       remove the obsolete package.

       For certain architectures, build daemons may lag considerably.  In such
       case,  debsecan  may  incorrectly  mark  a package as fixed, even if an
       update is not yet available in the Debian archive.

       Note that debsecan version uses the --suite option  only  to  determine
       the availability of corrected packages and to detect obsolete packages.
       If you specify the wrong  suite,  only  the  information  on  available
       security  updates  and  obsolete  packages  is  wrong,  but the list of
       vulnerabilities is correct.

       Mixing packages from different Debian releases is supported, as long as
       the  packages  still  carry  their  official  version numbers.  Unknown
       package versions (from backported packages, for example)  are  compared
       to  the  version  in  Debian unstable only, which may lead to incorrect


       This command prints all package names  for  which  security  fixes  are

              debsecan --suite suite --format packages --only-fixed

       If you pass this output to apt-get, you can download new packages which
       contain security fixes.  For example, if you are running sid:

              apt-get install \
                 $(debsecan --suite sid --format packages --only-fixed)

       The following command can be invoked periodically, to get notifications
       of new security issues:

              debsecan --suite suite --format report \
                 --update-history --mailto root

       See  debsecan-create-cron(8)  for  a tool which creates a suitable cron


              This environment variable instructs  debsecan  to  use  a  proxy
              server  to fetch the vulnerability data.  It must be of the form
     (mimicking a URL).


              Built-in location of the configuration file.

              File from which the package information is fetched by default.


       debsecan was written by Florian Weimer.


       dpkg(1), debsecan-create-cron(8), apt-get(8)