Ubuntu
debsecan package

debsecan should be removed from Ubuntu repositories

Bug #498058 reported by Paul Tagliamonte on 2009-12-18

This bug report is a duplicate of: Bug #95925: debsecan should be either adjusted (for ubuntu) or removed. Edit Remove

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	debsecan (Ubuntu)	Confirmed	Undecided	Unassigned
Nominated for Maverick by Michael Gilbert

Bug Description

Binary package hint: debsecan

Debsecan should be removed from the Ubuntu repositories because it serves no purpose at this point. debsescan interfaces to the debian security tracker [1]. This is all well and good, but we have a different naming scheme for some packages, and a few diversions from upstream packages ( patches etc ) that cause this application to report bad data.

This package is a very valuable resource, so I propose a diversion from Debian, and create a ubusecan tool that uses launchpadlib to work off our CVE reports. This would produce accurate output without having to translate upstream names to downstream package names and compensate for patches applied.

[1]: http://security-tracker.debian.org/tracker

CVE References

Revision history for this message

Paul Tagliamonte (paultag) wrote on 2009-12-18:

rdepends output Edit (3.3 KiB, text/plain)

Revision history for this message

Paul Tagliamonte (paultag) wrote on 2009-12-18:

Followup examples:

One example of a CVE that was reported is CVE-2009-4128 shown as open in Ubuntu, but it shouldn't be affected.

Firefox issues are not shown since Debian's package is iceweasel

Any issue fixed in a DSA would appear to be fixed in Ubuntu regardless if Ubuntu had issued a USN as long as that version was older.

7 poppler issues marked as still open even though they were fixed in USN-850-3 ( and the same can be said for libgd issue CVE-2009-3546, cups CVE-2009-2820, vorbis issue CVE-2009-3379, and most USN posts )

Michael Gilbert (michael-s-gilbert) on 2010-05-03

Changed in debsecan (Ubuntu):
status:	New → Confirmed

Revision history for this message

xtsbdu3reyrbrmroezob (xtsbdu3reyrbrmroezob) wrote on 2011-06-24:

Pretty useless in the current form. Package should either be adapted as outlined in bug #92925 or removed from Ubuntu. Evidence below of how useless the package is in the current form.

"""
$ debsecan | sort | head
CVE-2006-4310 firefox-globalmenu (remotely exploitable, medium urgency)
CVE-2006-4310 firefox-gnome-support (remotely exploitable, medium urgency)
CVE-2006-4310 firefox-locale-en (remotely exploitable, medium urgency)
CVE-2006-4310 firefox (remotely exploitable, medium urgency)
CVE-2006-5462 firefox-globalmenu (remotely exploitable, high urgency)
CVE-2006-5462 firefox-gnome-support (remotely exploitable, high urgency)
CVE-2006-5462 firefox-locale-en (remotely exploitable, high urgency)
CVE-2006-5462 firefox (remotely exploitable, high urgency)
CVE-2006-5463 firefox-globalmenu (remotely exploitable, high urgency)
CVE-2006-5463 firefox-gnome-support (remotely exploitable, high urgency)
$ sudo unattended-upgrade -d
Initial blacklisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=natty', 'o=Ubuntu,a=natty-security', 'o=Ubuntu,a=natty-updates', 'o=Ubuntu,a=natty-proposed', 'o=Ubuntu,a=natty-backports', 'o=Canonical,a=natty', 'o=LP-PPA-app-review-board,a=natty', 'o=LP-PPA-ubuntu-wine,a=natty']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
blacklist: []
InstCount=0 DelCount=0 BrokenCout=0
No packages found that can be upgraded unattended
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.04
Release: 11.04
Codename: natty