How can I reliably discover CVEs relating to installed packages

griswoldbar

6/3/23, 4:16 PM

I have a web application running on Ubuntu Server 18. One of its dependencies is Ghostscript. The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

What I'm looking for is a way of automatically detecting when a CVE is raised against a package. I had thought I could simply check the apt-get repository but all it can do is tell me if it has a newer version, not if there is a problem with the latest one it does have.

Is there some way of discovering if a version of a package has vulnerabilities from the command line? i.e. some command, or a public API or file I can build a script around?

0 + 0

security

ubuntu

apt

cve

Score:2

Server

Bob

6/3/23, 10:35 PM

The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

That is both true and probably not quite the relevant truth.

Almost all major Linux distributions back port security updates. They reasons for backporting and the process is pretty well described on RedHat.com but is similar for Ubuntu. (Please read that whole article.) The short of it is that an older version number reported by the software itself does not automatically equate to insecure at all.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ghostscript And https://www.ghostscript.com/doc/9.55.0/News.htm

Both show a whole range of issues that are fixed in the latest Ghostscript release.

Do you need to update to Ghostscript 9.55 to fix all of those ?

No.

https://ubuntu.com/security/notices/USN-4686-1 shows that many vulnerabilities have been back ported and Ubuntu 18 is not vulnerable to the most recent CVE at all according to

https://ubuntu.com/security/cves?package=ghostscript

In general regularly applying security updates (for as long as your distribution is supported) will keep you secure.

0 + 0

griswoldbar

6/7/23, 2:08 PM

Even though it wasn't exactly what I was asking, I'm marking this as the right answer as it's solved my problem and made me realise i was asking the wrong question :)

Score:1

Server

AlexD

6/3/23, 4:25 PM

You need debsecan.

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I reliably discover CVEs relating to installed packages

TH: ฉันจะค้นพบ CVE ที่เกี่ยวข้องกับแพ็คเกจที่ติดตั้งอย่างน่าเชื่อถือได้อย่างไร

RO: Cum pot descoperi în mod fiabil CVE-urile legate de pachetele instalate

RU: Как я могу надежно обнаружить CVE, относящиеся к установленным пакетам

VI: Làm cách nào tôi có thể khám phá các CVE liên quan đến các gói đã cài đặt một cách đáng tin cậy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.