Score:0

How can I reliably discover CVEs relating to installed packages

kw flag

I have a web application running on Ubuntu Server 18. One of its dependencies is Ghostscript. The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

What I'm looking for is a way of automatically detecting when a CVE is raised against a package. I had thought I could simply check the apt-get repository but all it can do is tell me if it has a newer version, not if there is a problem with the latest one it does have.

Is there some way of discovering if a version of a package has vulnerabilities from the command line? i.e. some command, or a public API or file I can build a script around?

Score:2
cn flag
Bob

The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

That is both true and probably not quite the relevant truth.

Almost all major Linux distributions back port security updates. They reasons for backporting and the process is pretty well described on RedHat.com but is similar for Ubuntu. (Please read that whole article.) The short of it is that an older version number reported by the software itself does not automatically equate to insecure at all.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ghostscript And https://www.ghostscript.com/doc/9.55.0/News.htm

Both show a whole range of issues that are fixed in the latest Ghostscript release.

Do you need to update to Ghostscript 9.55 to fix all of those ?

No.

https://ubuntu.com/security/notices/USN-4686-1 shows that many vulnerabilities have been back ported and Ubuntu 18 is not vulnerable to the most recent CVE at all according to

https://ubuntu.com/security/cves?package=ghostscript

In general regularly applying security updates (for as long as your distribution is supported) will keep you secure.

kw flag
Even though it wasn't exactly what I was asking, I'm marking this as the right answer as it's solved my problem and made me realise i was asking the wrong question :)
Score:1
jp flag

You need debsecan.

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.