debsecan should be either adjusted (for ubuntu) or removed

this description is a small symptom of the large-scale problem with debsecan on ubuntu. the core issue is that ubuntu's debsecan conveys information that is just plain wrong. this is because ubuntu's debescan gets reference data from debian's security tracker [1], which does not track ubuntu issues. hence any issues in *-ubuntu1 packages, etc that do not exist in debian's database are not tracked at all. in fact no fixed ubuntu package has ever been tracked.

a robust solution for this problem would be a major undertaking. ubuntu would need to replicate debian's security tracker system and commit to populating the database with up to date information. although that may not be necessary if one was to get permission from debian to add and maintain ubuntu-specific security data in their tracker.

anyway, as it stands now, debsecan is lying to its users, which is just plain wrong. in its current state, the package should be removed from ubuntu.

[1] http://security-tracker.debian.net/tracker/

the severity of this bug should really be set to high.

This bug should be targeted for Lucid. Lucid is an LTS, and it would be a big mistake to ship an app that reports false data about something as serious as security information.

Still no update. debsecan is considering being removed from the Ubuntu repositories, since it is currently useless otherwise adapted. Info in bug #498058.

Someone: Just please RM this :)

Guys, I think that it is very important to make debsecan compatible with Ubuntu-ecosystem.

Sometimes I use Gentoo Linux, they have great tool - glsa-check (http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14, http://wiki.gentoo.org/wiki/GLSA) - it tests installed packages against known vulnerabilities and recommends to update affected packages.

You already have CVE-tracking page (http://people.canonical.com/~ubuntu-security/cve/) and Ubuntu security notices (http://www.ubuntu.com/usn/). The remaining task is to integrate them with debsecan.

While investigating this tool as an addition to Lynis, I discovered this bug thread. Even after years, the output of this tool is confusing and showing false positives for Ubuntu. It actually does more harm than good at this point.

Did someone from security team already looked at this case?

It's great to aspire to fixing the package. When it's fixed, it can return to the archive. In the meantime, it doesn't belong in the archive. It's useless at best, dangerous at worst.

After getting flagged by Lynis for not having this installed, I looked into this tool to find out more. This absolutely sounds like a useful tool, and it should modified for Ubuntu, not removed...

Happy tenth birthday to this bug report on a (universe, I admit) package which has never worked in Ubuntu, and which has always provided incorrect information. :-/

~mail-codenest Lynis test PKGS-7366 is already restricted to Debian systems, see Lynis issue 446 (please open another bug report there if there is something else which needs to change).

We are working in a small piece of software to be able to generate debsecan compatible databases from the information available in the Ubuntu Security Tracker. After this is done, with some minor changes to debsecan, we could solve this issue.

Do this sound like a reasonable idea to you?

We've just finished a tool to build debsecan suitable databases from the Ubuntu CVE Tracker data.

It is open source under Apache 2.0 and it is available here: https://github.com/BBVA/ust2dsa

Using Github's CI we rebuild the databases every 6 hours for them to contain the latest vulnerability information.

If anybody want to test the result you just have to run this command in your current Ubuntu installation:

debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/

(Note: this is not an official Ubuntu tool)

The unofficial database proposed in https://bugs.launchpad.net/ubuntu/+source/debsecan/+bug/95925/comments/12 appears to work. It's at least a major improvement on the current situation.

I'd suggest that Ubuntu officially adopt the server-side tool and that appropriate updates are made to the defaults distributed with the package so that writing manual overrides to SUITE and SOURCE are not needed in /etc/default/debsecan to get usable results.

The "data" branch of the project at https://github.com/BBVA/ust2dsaa seems dead.

This command does not work for Ubuntu Jammy :

 debsecan --suite $(lsb_release -sc) --format packages --only-fixed --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/
error: while downloading https://raw.githubusercontent.com/BBVA/ust2dsa/data/jammy:
HTTP Error 404: Not Found
Are you sure 'jammy' is a Debian codename?