When using debsecan on a fully updated stretch machine I get a whole list of CVEs. The kernel package is the latest from stretch-updates/main, but that is not matched in the security-tracker output. The 4.9.144-3.1 version is not mentioned on https://security-tracker.debian.org/tracker/source-package/linux, should it be? It is also odd that the 'stretch (security)' version is so behind the normal stretch version (4.9.110-3+deb9u6 vs 4.9.144-3).
# debsecan --suite stretch --only-fixed --no-obsolete --format summary CVE-2017-0786 linux-image-4.9.0-8-amd64 (fixed, remotely exploitable, medium urgency) CVE-2017-0861 linux-image-4.9.0-8-amd64 (fixed, medium urgency) CVE-2017-1000 linux-image-4.9.0-8-amd64 (fixed) CVE-2017-1000111 linux-image-4.9.0-8-amd64 (fixed, high urgency) CVE-2017-1000112 linux-image-4.9.0-8-amd64 (fixed, medium urgency) CVE-2017-1000251 linux-image-4.9.0-8-amd64 (fixed, remotely exploitable, high urgency) CVE-2017-1000252 linux-image-4.9.0-8-amd64 (fixed, low urgency) CVE-2017-1000255 linux-image-4.9.0-8-amd64 (fixed, medium urgency) CVE-2017-1000364 linux-image-4.9.0-8-amd64 (fixed, medium urgency) CVE-2017-1000365 linux-image-4.9.0-8-amd64 (fixed, high urgency) ... # dpkg -l 'linux-image-*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=========================-=============-============-=================================== ii linux-image-4.9.0-8-amd64 4.9.144-3.1 amd64 Linux 4.9 for 64-bit PCs ii linux-image-amd64 4.9+80+deb9u6 amd64 Linux for 64-bit PCs (meta-package)
