$ -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install debsecan
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install debsecan
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install debsecan
debsecan --help
debsecan --help
debsecan --help
. /etc/os-release
echo "$VERSION_CODENAME"
. /etc/os-release
echo "$VERSION_CODENAME"
. /etc/os-release
echo "$VERSION_CODENAME"
debsecan --suite bookworm
debsecan --suite bookworm
debsecan --suite bookworm
debsecan --suite bookworm --format detail
debsecan --suite bookworm --format detail
debsecan --suite bookworm --format detail
debsecan --suite bookworm --format bugs
debsecan --suite bookworm --format bugs
debsecan --suite bookworm --format bugs
debsecan --suite bookworm --format packages
debsecan --suite bookworm --format packages
debsecan --suite bookworm --format packages
debsecan --suite bookworm --only-fixed
debsecan --suite bookworm --only-fixed
debsecan --suite bookworm --only-fixed
debsecan --suite bookworm --only-fixed --format packages
debsecan --suite bookworm --only-fixed --format packages
debsecan --suite bookworm --only-fixed --format packages
-weight: 500;">apt list --upgradable
-weight: 500;">apt list --upgradable
-weight: 500;">apt list --upgradable
-weight: 500;">apt-cache policy openssl
-weight: 500;">apt-cache policy openssl
-weight: 500;">apt-cache policy openssl
debsecan --suite bookworm --only-fixed --format packages | sort -u
debsecan --suite bookworm --only-fixed --format packages | sort -u
debsecan --suite bookworm --only-fixed --format packages | sort -u
-weight: 500;">apt-cache policy package-name
-weight: 500;">apt changelog package-name
-weight: 500;">apt-cache policy package-name
-weight: 500;">apt changelog package-name
-weight: 500;">apt-cache policy package-name
-weight: 500;">apt changelog package-name
mapfile -t pkgs < <(debsecan --suite bookworm --only-fixed --format packages | sort -u)
printf '%s\n' "${pkgs[@]}"
mapfile -t pkgs < <(debsecan --suite bookworm --only-fixed --format packages | sort -u)
printf '%s\n' "${pkgs[@]}"
mapfile -t pkgs < <(debsecan --suite bookworm --only-fixed --format packages | sort -u)
printf '%s\n' "${pkgs[@]}"
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade
debsecan --suite bookworm --format detail
debsecan --suite bookworm --format detail
debsecan --suite bookworm --format detail
-weight: 500;">apt-cache rdepends package-name
-weight: 500;">apt show package-name
-weight: 500;">apt-cache rdepends package-name
-weight: 500;">apt show package-name
-weight: 500;">apt-cache rdepends package-name
-weight: 500;">apt show package-name
debsecan --add-whitelist CVE-2005-4601
debsecan --add-whitelist CVE-2005-4601
debsecan --add-whitelist CVE-2005-4601
debsecan --add-whitelist CVE-2005-4601 imagemagick
debsecan --add-whitelist CVE-2005-4601 imagemagick
debsecan --add-whitelist CVE-2005-4601 imagemagick
debsecan --show-whitelist
debsecan --show-whitelist
debsecan --show-whitelist
debsecan ---weight: 500;">remove-whitelist CVE-2005-4601 imagemagick
debsecan ---weight: 500;">remove-whitelist CVE-2005-4601 imagemagick
debsecan ---weight: 500;">remove-whitelist CVE-2005-4601 imagemagick
-weight: 600;">sudo debsecan-create-cron
-weight: 600;">sudo debsecan-create-cron
-weight: 600;">sudo debsecan-create-cron
debsecan \ --suite bookworm \ --format report \ ---weight: 500;">update-history
debsecan \ --suite bookworm \ --format report \ ---weight: 500;">update-history
debsecan \ --suite bookworm \ --format report \ ---weight: 500;">update-history
cat <<'EOF' > debsecan-review
#!/usr/bin/env bash
set -euo pipefail suite="${1:-$(. /etc/os-release && printf '%s' "$VERSION_CODENAME")}" echo "== debsecan summary for suite: ${suite} =="
debsecan --suite "$suite" --only-fixed --format summary echo
echo "== unique affected packages with fixes available =="
debsecan --suite "$suite" --only-fixed --format packages | sort -u echo
echo "== -weight: 500;">apt upgradable =="
-weight: 500;">apt list --upgradable 2>/dev/null || true
EOF -weight: 600;">sudo -weight: 500;">install -m 0755 debsecan-review /usr/local/bin/debsecan-review
/usr/local/bin/debsecan-review
cat <<'EOF' > debsecan-review
#!/usr/bin/env bash
set -euo pipefail suite="${1:-$(. /etc/os-release && printf '%s' "$VERSION_CODENAME")}" echo "== debsecan summary for suite: ${suite} =="
debsecan --suite "$suite" --only-fixed --format summary echo
echo "== unique affected packages with fixes available =="
debsecan --suite "$suite" --only-fixed --format packages | sort -u echo
echo "== -weight: 500;">apt upgradable =="
-weight: 500;">apt list --upgradable 2>/dev/null || true
EOF -weight: 600;">sudo -weight: 500;">install -m 0755 debsecan-review /usr/local/bin/debsecan-review
/usr/local/bin/debsecan-review
cat <<'EOF' > debsecan-review
#!/usr/bin/env bash
set -euo pipefail suite="${1:-$(. /etc/os-release && printf '%s' "$VERSION_CODENAME")}" echo "== debsecan summary for suite: ${suite} =="
debsecan --suite "$suite" --only-fixed --format summary echo
echo "== unique affected packages with fixes available =="
debsecan --suite "$suite" --only-fixed --format packages | sort -u echo
echo "== -weight: 500;">apt upgradable =="
-weight: 500;">apt list --upgradable 2>/dev/null || true
EOF -weight: 600;">sudo -weight: 500;">install -m 0755 debsecan-review /usr/local/bin/debsecan-review
/usr/local/bin/debsecan-review - see vulnerabilities that affect packages installed on one host
- separate general CVE noise from package exposure on that system
- focus first on issues that already have a fix available
- build a lightweight daily review workflow - debsecan tells you which installed packages are affected
- --only-fixed narrows to issues with known fixes available
- -weight: 500;">apt list --upgradable shows what APT currently wants to -weight: 500;">upgrade
- -weight: 500;">apt-cache policy helps you inspect candidate versions and repository origin - the package is installed but not in active use
- the vulnerable code path is not present in your deployment
- you have a compensating control and a planned review date - Install debsecan
- Run debsecan --suite <codename> --only-fixed
- Review affected packages with --format packages, -weight: 500;">apt list --upgradable, and -weight: 500;">apt-cache policy
- Upgrade during your normal maintenance process
- Use a whitelist sparingly
- Add a daily report path - Debian debsecan man page: https://manpages.debian.org/bookworm/debsecan/debsecan.1.en.html
- Debian debsecan-create-cron man page: https://manpages.debian.org/bookworm/debsecan/debsecan-create-cron.8.en.html
- Debian Securing Manual, Security Tracker section: https://www.debian.org/doc/manuals/securing-debian-manual/ch07s03.en.html
- Debian Security Tracker: https://security-tracker.debian.org/
- Debian Security Team tracker overview: https://security-team.debian.org/security_tracker.html
