debian Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number

I am a Debian Linux server user. How do I view the changelog of an installed package and find out if given CVE includes a fix or patch? How do I see a fix or patch already applied to installed package on a Ubuntu or Debian LTS server?

The changelog of an installed package is usaully stored as follows on a Debian or Ubuntu or Mint Linux:

 

 

 

  1. Directory: /usr/share/doc/$PackageNameHere/
  2. Changelog file name: changelog.Debian.gz

You can use the less or zgrep command to view /usr/share/doc/<PackageNameHere>/changelog.Debian.gz file.

Syntax

You need to replace <PackageNameHere> with the actual package name:

less /usr/share/doc/<PackageNameHere>/changelog.Debian.gz
zgrep 'cve-number-here' /usr/share/doc/<PackageNameHere>/changelog.Debian.gz

Examples: Find lighttpd package change log

In this example view info about a package called lighttpd, enter:

less /usr/share/doc/lighttpd/changelog.Debian.gz

Sample outputs:

Fig.01: Debian / Ubuntu Linux See The Changelog Of an Installed Package
Fig.01: Debian / Ubuntu Linux See The Changelog Of an Installed Package

 

Example: See if lighttpd package includes a fix/patch for cve # cve-2013-4559

To find out if installed package called lighttpd includes a fix or patch, enter:

$ zgrep -i cve-2013-4559 /usr/share/doc/lighttpd/changelog.Debian.gz
  * Fix cve-2013-4559: setuid privilege escalation issue.

To display all cve, enter:

$ zgrep -i cve /usr/share/doc/lighttpd/changelog.Debian.gz
  * Fix regression caused by the fix for cve-2013-4508 (closes: #729480).
  * Fix cve-2013-4508: ssl cipher suites issue.
  * Fix cve-2013-4559: setuid privilege escalation issue.
  * Fix cve-2013-4560: use-after-free in fam.
  * CVE-2013-1427: Switch the socket path for PHP when using FastCGI. /tmp is
    - CVE-2013-1427: Switch the socket path for PHP when using FASTCGI. /tmp 

Say hello to debsecan

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.

Installation

Use the apt command/apt-get command to install it:
$ sudo apt install debsecan
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  exim4 exim4-base exim4-config exim4-daemon-light s-nail
Suggested packages:
  eximon4 exim4-doc-html | exim4-doc-info spf-tools-perl swaks
The following NEW packages will be installed:
  debsecan exim4 exim4-base exim4-config exim4-daemon-light s-nail
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,026 kB of archives.
After this operation, 4,653 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirrors.digitalocean.com/ubuntu xenial/universe amd64 debsecan all 0.4.18 [33.9 kB]
Get:2 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 exim4-config all 4.86.2-2ubuntu2.2 [298 kB]
Get:3 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 exim4-base amd64 4.86.2-2ubuntu2.2 [869 kB]
Get:4 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 exim4-daemon-light amd64 4.86.2-2ubuntu2.2 [465 kB]
Get:5 http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 exim4 all 4.86.2-2ubuntu2.2 [7,904 B]
Get:6 http://mirrors.digitalocean.com/ubuntu xenial/universe amd64 s-nail amd64 14.8.6-1 [353 kB]
Fetched 2,026 kB in 0s (2,406 kB/s)
Preconfiguring packages ...
Selecting previously unselected package debsecan.
(Reading database ... 144268 files and directories currently installed.)
Preparing to unpack .../debsecan_0.4.18_all.deb ...
Unpacking debsecan (0.4.18) ...
Selecting previously unselected package exim4-config.
Preparing to unpack .../exim4-config_4.86.2-2ubuntu2.2_all.deb ...
Unpacking exim4-config (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4-base.
Preparing to unpack .../exim4-base_4.86.2-2ubuntu2.2_amd64.deb ...
Unpacking exim4-base (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4-daemon-light.
Preparing to unpack .../exim4-daemon-light_4.86.2-2ubuntu2.2_amd64.deb ...
Unpacking exim4-daemon-light (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package exim4.
Preparing to unpack .../exim4_4.86.2-2ubuntu2.2_all.deb ...
Unpacking exim4 (4.86.2-2ubuntu2.2) ...
Selecting previously unselected package s-nail.
Preparing to unpack .../s-nail_14.8.6-1_amd64.deb ...
Unpacking s-nail (14.8.6-1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...
Setting up debsecan (0.4.18) ...
Setting up exim4-config (4.86.2-2ubuntu2.2) ...
Adding system-user for exim (v4)
Setting up exim4-base (4.86.2-2ubuntu2.2) ...
exim: DB upgrade, deleting hints-db
Setting up exim4-daemon-light (4.86.2-2ubuntu2.2) ...
Setting up exim4 (4.86.2-2ubuntu2.2) ...
Setting up s-nail (14.8.6-1) ...
update-alternatives: using /usr/bin/s-nail to provide /usr/bin/mailx (mailx) in auto mode
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...

Usage

Just run it as follows:
$ debsecan | more
Sample outputs:

CVE-2016-2775 bind9-host (remotely exploitable, medium urgency)
CVE-2016-2776 bind9-host (remotely exploitable, high urgency)
CVE-2016-6170 bind9-host (remotely exploitable, medium urgency)
CVE-2016-8864 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9131 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9147 bind9-host (remotely exploitable, medium urgency)
CVE-2016-9444 bind9-host (remotely exploitable, medium urgency)
CVE-2017-3135 bind9-host
CVE-2017-3136 bind9-host
CVE-2017-3137 bind9-host
CVE-2017-3138 bind9-host
CVE-2016-9243 python3-cryptography (remotely exploitable, medium urgency)
CVE-2016-1248 vim-tiny (remotely exploitable, medium urgency)
CVE-2017-5953 vim-tiny (remotely exploitable, high urgency)
CVE-2017-6349 vim-tiny (remotely exploitable, high urgency)
CVE-2017-6350 vim-tiny (remotely exploitable, high urgency)
CVE-2015-1331 liblxc1 (medium urgency)
CVE-2015-1334 liblxc1 (medium urgency)
CVE-2015-1335 liblxc1 (high urgency)
CVE-2016-10124 liblxc1 (remotely exploitable, medium urgency)
CVE-2016-8649 liblxc1 (remotely exploitable, high urgency)
...
..
...
CVE-2016-10228 locales (remotely exploitable, medium urgency)
CVE-2016-6323 locales (remotely exploitable, medium urgency)
CVE-2017-1000366 locales
CVE-2017-8804 locales (remotely exploitable, high urgency)
CVE-2017-6507 libapparmor-perl (remotely exploitable, medium urgency)
CVE-2016-2324 git (remotely exploitable, high urgency)
CVE-2017-8386 git (remotely exploitable, medium urgency)
CVE-2017-6594 libheimntlm0-heimdal
CVE-2016-7942 libx11-data (remotely exploitable, high urgency)
CVE-2016-7943 libx11-data (remotely exploitable, high urgency)
CVE-2015-8948 libidn11 (remotely exploitable, medium urgency)
CVE-2016-6261 libidn11 (remotely exploitable, medium urgency)
CVE-2016-6263 libidn11 (remotely exploitable, medium urgency)
CVE-2016-1233 fuse (high urgency)
CVE-2016-2568 libpolkit-gobject-1-0 (medium urgency)
TEMP-0000000-4DA0A8 libdbus-1-3
CVE-2016-2779 util-linux (high urgency)
CVE-2016-5011 util-linux (medium urgency)
CVE-2017-6964 eject (high urgency)
CVE-2016-2779 libsmartcols1 (high urgency)
CVE-2016-5011 libsmartcols1 (medium urgency)

You can use the grep command to search for any package name or CVE as follows:
$ debsecan | grep -i openvpn
Sample outputs:

CVE-2017-7478 openvpn (remotely exploitable, medium urgency)
CVE-2017-7479 openvpn (remotely exploitable, medium urgency)
CVE-2017-7508 openvpn
CVE-2017-7520 openvpn
CVE-2017-7521 openvpn

Or search for CVE-2017-1000364
$ debsecan | grep -i CVE-2017-1000364
Sample outputs:

CVE-2017-1000364 linux-image-4.4.0-79-generic
CVE-2017-1000364 linux-headers-4.4.0-79
CVE-2017-1000364 linux-headers-4.4.0-79-generic
CVE-2017-1000364 linux-headers-4.4.0-81-generic
CVE-2017-1000364 linux-headers-4.4.0-78
CVE-2017-1000364 linux-headers-4.4.0-81
CVE-2017-1000364 linux-headers-4.4.0-78-generic
CVE-2017-1000364 linux-headers-4.4.0-63
CVE-2017-1000364 linux-image-4.4.0-78-generic
CVE-2017-1000364 linux-headers-4.4.0-63-generic
CVE-2017-1000364 linux-image-4.4.0-63-generic
CVE-2017-1000364 linux-image-4.4.0-81-generic

A note about Debian security tracker

You can always use web based security tracker located at the following url:

  1. https://security-tracker.debian.org/tracker/
  2. See security history of openvpn package.
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Increase A VMware Disk Size (VMDK) Formatted As Linux LVM without rebooting
Viewed 934 times since Wed, May 30, 2018
RHEL7: Configure automatic updates.
Viewed 405 times since Wed, Oct 17, 2018
LVM: Extend SWAP size by adding a new Logical Volume
Viewed 640 times since Sat, Jun 2, 2018
high swap space utilization in LINUX
Viewed 482 times since Fri, Jul 13, 2018
Using Official Redhat DVD as repository
Viewed 717 times since Mon, Oct 29, 2018
Oracle Linux 7 – How to audit changes to a trusted file such as /etc/passwd or /etc/shadow
Viewed 1067 times since Wed, Jul 25, 2018
Tunnel SSH Connections Over SSL Using ‘Stunnel’ On Debian 7 / Ubuntu 13.10
Viewed 627 times since Fri, Sep 28, 2018
Linux Cluster Tutorial
Viewed 450 times since Sat, Sep 29, 2018
RHCS6: Debug and test multicast traffic between two hosts
Viewed 624 times since Sun, Jun 3, 2018
Linux Screen
Viewed 748 times since Sat, Jun 2, 2018