debian Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number

I am a Debian Linux server user. How do I view the changelog of an installed package and find out if given CVE includes a fix or patch? How do I see a fix or patch already applied to installed package on a Ubuntu or Debian LTS server?

The changelog of an installed package is usaully stored as follows on a Debian or Ubuntu or Mint Linux:




  1. Directory: /usr/share/doc/$PackageNameHere/
  2. Changelog file name: changelog.Debian.gz

You can use the less or zgrep command to view /usr/share/doc/<PackageNameHere>/changelog.Debian.gz file.


You need to replace <PackageNameHere> with the actual package name:

less /usr/share/doc/<PackageNameHere>/changelog.Debian.gz
zgrep 'cve-number-here' /usr/share/doc/<PackageNameHere>/changelog.Debian.gz

Examples: Find lighttpd package change log

In this example view info about a package called lighttpd, enter:

less /usr/share/doc/lighttpd/changelog.Debian.gz

Sample outputs:

Fig.01: Debian / Ubuntu Linux See The Changelog Of an Installed Package
Fig.01: Debian / Ubuntu Linux See The Changelog Of an Installed Package


Example: See if lighttpd package includes a fix/patch for cve # cve-2013-4559

To find out if installed package called lighttpd includes a fix or patch, enter:

$ zgrep -i cve-2013-4559 /usr/share/doc/lighttpd/changelog.Debian.gz
  * Fix cve-2013-4559: setuid privilege escalation issue.

To display all cve, enter:

$ zgrep -i cve /usr/share/doc/lighttpd/changelog.Debian.gz
  * Fix regression caused by the fix for cve-2013-4508 (closes: #729480).
  * Fix cve-2013-4508: ssl cipher suites issue.
  * Fix cve-2013-4559: setuid privilege escalation issue.
  * Fix cve-2013-4560: use-after-free in fam.
  * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
    - CVE-2013-1427: Switch the socket path for PHP when using FASTCGI. /tmp 

Say hello to debsecan

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.


Use the apt command/apt-get command to install it:
$ sudo apt install debsecan
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  exim4 exim4-base exim4-config exim4-daemon-light s-nail
Suggested packages:
  eximon4 exim4-doc-html | exim4-doc-info spf-tools-perl swaks
The following NEW packages will be installed:
  debsecan exim4 exim4-base exim4-config exim4-daemon-light s-nail
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,026 kB of archives.
After this operation, 4,653 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 xenial/universe amd64 debsecan all 0.4.18 [33.9 kB]
Get:2 xenial-updates/main amd64 exim4-config all 4.86.2-2ubuntu2.2 [298 kB]
Get:3 xenial-updates/main amd64 exim4-base amd64 4.86.2-2ubuntu2.2 [869 kB]
Get:4 xenial-updates/main amd64 exim4-daemon-light amd64 4.86.2-2ubuntu2.2 [465 kB]
Get:5 xenial-updates/main amd64 exim4 all 4.86.2-2ubuntu2.2 [7,904 B]
Get:6 xenial/universe amd64 s-nail amd64 14.8.6-1 [353 kB]
Fetched 2,026 kB in 0s (2,406 kB/s)
Preconfiguring packages ...
Selecting previously unselected package debsecan.
(Reading database ... 144268 files and directories currently installed.)
Preparing to unpack .../debsecan_0.4.18_all.deb ...
Unpacking debsecan (0.4.18) ...
Selecting previously unselected package exim4-config.
Preparing to unpack .../exim4-config_4.86.2-2ubuntu2.2_all.deb ...
Unpacking exim4-config (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4-base.
Preparing to unpack .../exim4-base_4.86.2-2ubuntu2.2_amd64.deb ...
Unpacking exim4-base (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4-daemon-light.
Preparing to unpack .../exim4-daemon-light_4.86.2-2ubuntu2.2_amd64.deb ...
Unpacking exim4-daemon-light (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4.
Preparing to unpack .../exim4_4.86.2-2ubuntu2.2_all.deb ...
Unpacking exim4 (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package s-nail.
Preparing to unpack .../s-nail_14.8.6-1_amd64.deb ...
Unpacking s-nail (14.8.6-1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up debsecan (0.4.18) ...
Setting up exim4-config (4.86.2-2ubuntu2.2) ...
Adding system-user for exim (v4)
Setting up exim4-base (4.86.2-2ubuntu2.2) ...
exim: DB upgrade, deleting hints-db
Setting up exim4-daemon-light (4.86.2-2ubuntu2.2) ...
Setting up exim4 (4.86.2-2ubuntu2.2) ...
Setting up s-nail (14.8.6-1) ...
update-alternatives: using /usr/bin/s-nail to provide /usr/bin/mailx (mailx) in auto mode
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...


Just run it as follows:
$ debsecan | more
Sample outputs:

CVE-2016-2775 bind9-host (remotely exploitable, medium urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2016-6170 bind9-host (remotely exploitable, medium urgency)
CVE-2016-8864 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9131 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9147 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9444 bind9-host (remotely exploitable, medium urgency)
CVE-2017-3135 bind9-host
CVE-2017-3136 bind9-host
CVE-2017-3137 bind9-host
CVE-2017-3138 bind9-host
CVE-2016-9243 python3-cryptography (remotely exploitable, medium urgency)
CVE-2016-1248 vim-tiny (remotely exploitable, medium urgency)
CVE-2017-5953 vim-tiny (remotely exploitable, high urgency)
CVE-2017-6349 vim-tiny (remotely exploitable, high urgency)
CVE-2017-6350 vim-tiny (remotely exploitable, high urgency)
CVE-2015-1331 liblxc1 (medium urgency)
CVE-2015-1334 liblxc1 (medium urgency)
CVE-2015-1335 liblxc1 (high urgency)
CVE-2016-10124 liblxc1 (remotely exploitable, medium urgency)
CVE-2016-8649 liblxc1 (remotely exploitable, high urgency)
CVE-2016-10228 locales (remotely exploitable, medium urgency)
CVE-2016-6323 locales (remotely exploitable, medium urgency)
CVE-2017-1000366 locales
CVE-2017-8804 locales (remotely exploitable, high urgency)
CVE-2017-6507 libapparmor-perl (remotely exploitable, medium urgency)
CVE-2016-2324 git (remotely exploitable, high urgency)
CVE-2017-8386 git (remotely exploitable, medium urgency)
CVE-2017-6594 libheimntlm0-heimdal
CVE-2016-7942 libx11-data (remotely exploitable, high urgency)
CVE-2016-7943 libx11-data (remotely exploitable, high urgency)
CVE-2015-8948 libidn11 (remotely exploitable, medium urgency)
CVE-2016-6261 libidn11 (remotely exploitable, medium urgency)
CVE-2016-6263 libidn11 (remotely exploitable, medium urgency)
CVE-2016-1233 fuse (high urgency)
CVE-2016-2568 libpolkit-gobject-1-0 (medium urgency)
TEMP-0000000-4DA0A8 libdbus-1-3
CVE-2016-2779 util-linux (high urgency)
CVE-2016-5011 util-linux (medium urgency)
CVE-2017-6964 eject (high urgency)
CVE-2016-2779 libsmartcols1 (high urgency)
CVE-2016-5011 libsmartcols1 (medium urgency)

You can use the grep command to search for any package name or CVE as follows:
$ debsecan | grep -i openvpn
Sample outputs:

CVE-2017-7478 openvpn (remotely exploitable, medium urgency)
CVE-2017-7479 openvpn (remotely exploitable, medium urgency)
CVE-2017-7508 openvpn
CVE-2017-7520 openvpn
CVE-2017-7521 openvpn

Or search for CVE-2017-1000364
$ debsecan | grep -i CVE-2017-1000364
Sample outputs:

CVE-2017-1000364 linux-image-4.4.0-79-generic
CVE-2017-1000364 linux-headers-4.4.0-79
CVE-2017-1000364 linux-headers-4.4.0-79-generic
CVE-2017-1000364 linux-headers-4.4.0-81-generic
CVE-2017-1000364 linux-headers-4.4.0-78
CVE-2017-1000364 linux-headers-4.4.0-81
CVE-2017-1000364 linux-headers-4.4.0-78-generic
CVE-2017-1000364 linux-headers-4.4.0-63
CVE-2017-1000364 linux-image-4.4.0-78-generic
CVE-2017-1000364 linux-headers-4.4.0-63-generic
CVE-2017-1000364 linux-image-4.4.0-63-generic
CVE-2017-1000364 linux-image-4.4.0-81-generic

A note about Debian security tracker

You can always use web based security tracker located at the following url:

  2. See security history of openvpn package.
0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
10 Linux cryptsetup Examples for LUKS Key Management (How to Add, Remove, Change, Reset LUKS encryption Key)
Viewed 2547 times since Tue, Jul 31, 2018
RHCS6: Show/Add GFS2/GFS journals
Viewed 11279 times since Sun, Jun 3, 2018
Linux Customizing Bash
Viewed 441 times since Sun, Dec 6, 2020
FIO (Flexible I/O) – a benchmark tool for any operating system
Viewed 18031 times since Wed, Jul 25, 2018
Procedura powiekszania OCFS2 online
Viewed 4498 times since Fri, Jun 8, 2018
RHCS6: ’fencing’ basics
Viewed 1185 times since Sun, Jun 3, 2018
How to remove CTRL-M (^M) characters from a file in Linux
Viewed 859 times since Thu, Feb 7, 2019
Using Kerberos security with Server for NFS
Viewed 6358 times since Wed, Jun 27, 2018
Szybkie sprawdzenie zewnętrznego adresu IP i hosta
Viewed 1765 times since Thu, May 24, 2018
RHEL: Back-up/Replicate a partition table
Viewed 1787 times since Sun, May 27, 2018