Debian Package Version system
Hi All, After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date. We`re using the package management system of Debian and all packages were updated (apt-get update apt-get (dist-)upgrade) prior to the scan. The vulnerability scanner most likely compares the version against that of the source code, which differs. How can I tell which version in the debian package repository system corresponds to which version of the source code. That way I can whitelist these software packages in our vulnerability scans. Thnx, Arnoud -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e7e899956e6065488dbc6623f76f36a275bf5a6...@ramnl-ex02.ram.nl
Re: Debian Package Version system
On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote: Hi All, After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date. We`re using the package management system of Debian and all packages were updated (apt-get update apt-get (dist-)upgrade) prior to the scan. The vulnerability scanner most likely compares the version against that of the source code, which differs. How can I tell which version in the debian package repository system corresponds to which version of the source code. http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version states that a debian package has a version number that is formatted as: [epoch:]upstream_version[-debian_revision] That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified). So, taking some examples from my system: bash: 4.1-3 - Upstream: 4.1 acpid: 1:2.0.7-1squeeze4 - Upstream: 2.0.7 etckeeper: 0.48- Upstream: 0.48 That way I can whitelist these software packages in our vulnerability scans. You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested). signature.asc Description: Digital signature
RE: Debian Package Version system
Thanks for the info, this solves the issue. I probably have been looking in the wrong direction. -Original Message- From: Darac Marjal [mailto:mailingl...@darac.org.uk] Sent: donderdag 22 november 2012 15:51 To: debian-user@lists.debian.org Subject: Re: Debian Package Version system On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote: Hi All, After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date. We`re using the package management system of Debian and all packages were updated (apt-get update apt-get (dist-)upgrade) prior to the scan. The vulnerability scanner most likely compares the version against that of the source code, which differs. How can I tell which version in the debian package repository system corresponds to which version of the source code. http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Version states that a debian package has a version number that is formatted as: [epoch:]upstream_version[-debian_revision] That is, a small integer (0, if unspecified) followed by a colon, then the upstream version, then (starting from the last hyphen) the debian revision (again 0 if unspecified). So, taking some examples from my system: bash: 4.1-3 - Upstream: 4.1 acpid: 1:2.0.7-1squeeze4 - Upstream: 2.0.7 etckeeper: 0.48- Upstream: 0.48 That way I can whitelist these software packages in our vulnerability scans. You might want to consider WHY the software was updated. Is there a newer upstream because there's a security vulnerability, or is it just new features (possibly untested). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e7e899956e6065488dbc6623f76f36a275bf5a6...@ramnl-ex02.ram.nl
Re: Debian Package Version system
Hello all, On Thu, Nov 22, 2012 at 09:54:22AM +0100, Arnoud Tijssen wrote: After performing some vulnerability scans on some our systems one of the outcomes was that some software packages were out of date. We`re using the package management system of Debian and all packages were updated (apt-get update apt-get (dist-)upgrade) prior to the scan. Such scans often merely compare version numbers, which most often isn't quite appropriate to determine whether a certain vulnerability still exists. Please see The version number for a package indicates that I am still running a vulnerable version! in the Debian Security FAQ at http://www.debian.org/security/faq#version The remainder of that page provides further insight into some of the peculiarities involved. Cheers, Flo -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121122161341.gr14...@fernst.no-ip.org
