debsecan should be either adjusted (for ubuntu) or removed

Bug #95925 reported by Daniël van Eeden
158
This bug affects 29 people
Affects Status Importance Assigned to Milestone
debsecan (Ubuntu)
Confirmed
Medium
Unassigned
Nominated for Lucid by Paul Tagliamonte
Nominated for Raring by Paul Tagliamonte

Bug Description

Binary package hint: debsecan

$ debsecan --suite=edgy
usage: debsecan OPTIONS...

debsecan: error: option --suite: invalid choice: 'edgy' (choose from 'woody', 'sarge', 'etch', 'sid')

It should have options for edgy, etc.

Tags: focal
Daniel T Chen (crimsun)
Changed in debsecan:
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Michael Gilbert (michael-s-gilbert) wrote :

this description is a small symptom of the large-scale problem with debsecan on ubuntu. the core issue is that ubuntu's debsecan conveys information that is just plain wrong. this is because ubuntu's debescan gets reference data from debian's security tracker [1], which does not track ubuntu issues. hence any issues in *-ubuntu1 packages, etc that do not exist in debian's database are not tracked at all. in fact no fixed ubuntu package has ever been tracked.

a robust solution for this problem would be a major undertaking. ubuntu would need to replicate debian's security tracker system and commit to populating the database with up to date information. although that may not be necessary if one was to get permission from debian to add and maintain ubuntu-specific security data in their tracker.

anyway, as it stands now, debsecan is lying to its users, which is just plain wrong. in its current state, the package should be removed from ubuntu.

[1] http://security-tracker.debian.net/tracker/

Changed in debsecan:
assignee: nobody → michael-s-gilbert
Revision history for this message
Michael Gilbert (michael-s-gilbert) wrote :

the severity of this bug should really be set to high.

Changed in debsecan:
assignee: michael-s-gilbert → nobody
Revision history for this message
Paul Tagliamonte (paultag) wrote :

This bug should be targeted for Lucid. Lucid is an LTS, and it would be a big mistake to ship an app that reports false data about something as serious as security information.

Revision history for this message
xtsbdu3reyrbrmroezob (xtsbdu3reyrbrmroezob) wrote :

Still no update. debsecan is considering being removed from the Ubuntu repositories, since it is currently useless otherwise adapted. Info in bug #498058.

summary: - debsecan should be adjusted for ubuntu
+ debsecan should be either adjusted for ubuntu or removed
tags: added: precise quantal raring
summary: - debsecan should be either adjusted for ubuntu or removed
+ debsecan should be either adjusted (for ubuntu) or removed
Revision history for this message
Paul Tagliamonte (paultag) wrote :

Someone: Just please RM this :)

Changed in debsecan (Ubuntu):
importance: Wishlist → Medium
Revision history for this message
Norbert (nrbrtx) wrote :

Guys, I think that it is very important to make debsecan compatible with Ubuntu-ecosystem.

Sometimes I use Gentoo Linux, they have great tool - glsa-check (http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14, http://wiki.gentoo.org/wiki/GLSA) - it tests installed packages against known vulnerabilities and recommends to update affected packages.

You already have CVE-tracking page (http://people.canonical.com/~ubuntu-security/cve/) and Ubuntu security notices (http://www.ubuntu.com/usn/). The remaining task is to integrate them with debsecan.

Revision history for this message
Michael Boelen (cisofy) wrote :

While investigating this tool as an addition to Lynis, I discovered this bug thread. Even after years, the output of this tool is confusing and showing false positives for Ubuntu. It actually does more harm than good at this point.

Did someone from security team already looked at this case?

Revision history for this message
Sheldon Hearn (sheldonh) wrote :

It's great to aspire to fixing the package. When it's fixed, it can return to the archive. In the meantime, it doesn't belong in the archive. It's useless at best, dangerous at worst.

Revision history for this message
James Johnston (mail-codenest) wrote :

After getting flagged by Lynis for not having this installed, I looked into this tool to find out more. This absolutely sounds like a useful tool, and it should modified for Ubuntu, not removed...

Revision history for this message
Moritz (moritz-naumann) wrote :

Happy tenth birthday to this bug report on a (universe, I admit) package which has never worked in Ubuntu, and which has always provided incorrect information. :-/

~mail-codenest Lynis test PKGS-7366 is already restricted to Debian systems, see Lynis issue 446 (please open another bug report there if there is something else which needs to change).

Revision history for this message
Roberto Abdelkader Martínez Pérez (nilp0inter) wrote :

We are working in a small piece of software to be able to generate debsecan compatible databases from the information available in the Ubuntu Security Tracker. After this is done, with some minor changes to debsecan, we could solve this issue.

Do this sound like a reasonable idea to you?

Revision history for this message
Roberto Abdelkader Martínez Pérez (nilp0inter) wrote :

We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.

It is open source under Apache 2.0 and it is available here: https://github.com/BBVA/ust2dsa

Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.

If anybody want to test the result you just have to run this command in your current Ubuntu installation:

debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/

(Note: this is not an official Ubuntu tool)

Norbert (nrbrtx)
tags: removed: precise quantal raring
Todd Taft (taft)
tags: added: focal
Revision history for this message
Todd Taft (taft) wrote :

The unofficial database proposed in https://bugs.launchpad.net/ubuntu/+source/debsecan/+bug/95925/comments/12 appears to work. It's at least a major improvement on the current situation.

I'd suggest that Ubuntu officially adopt the server-side tool and that appropriate updates are made to the defaults distributed with the package so that writing manual overrides to SUITE and SOURCE are not needed in /etc/default/debsecan to get usable results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers