Package: debsecan Version: 0.4.19~deb9u1 Severity: normal Dear Maintainer,
This has been bugging me for a while. debsecan shows the following package as being vulnerable and having updates available to fix the issue: *** Available security updates CVE-2017-15908 In systemd 223 through 235, a remote DNS server can... <https://security-tracker.debian.org/tracker/CVE-2017-15908> - libudev1, libpam-systemd, libsystemd0, udev, systemd (remotely exploitable, medium urgency) CVE-2017-9445 In systemd through 233, certain sizes passed to... <https://security-tracker.debian.org/tracker/CVE-2017-9445> - libudev1, libpam-systemd, libsystemd0, udev, systemd (remotely exploitable, medium urgency) Upon checking the secueity tracker for both CVE-2017-15908 and CVE-2017-9445 I saw that my I needed systemd 232-25+deb9u2 to apply the fixes. My system has systemd 232-25+deb9u3 installed, as shown below: tmc@citadel:~$ dpkg -l | grep systemd ii libpam-systemd:amd64 232-25+deb9u3 amd64 system and service manager - PAM module ii libsystemd0:amd64 232-25+deb9u3 amd64 systemd utility library ii systemd 232-25+deb9u3 amd64 system and service manager ii systemd-shim 10-3 amd64 shim for systemd This leads to three (3) questions: 1. Is there a bug or flaw in debsecan logic that means that 232-25+deb9u3 which should contain fixes included in 232-25+deb9u2 is not recognised as fixed? 2. Is there a bug or flaw in the vulnerability database that debsecan uses that means that 232-25+deb9u3 which should contain fixes included in 232-25+deb9u2 is not recognised as fixed? 3. Are the fixes in systemd 232-25+deb9u2 not applied in systemd 232-25+deb9u3 This issue is happening across all debian systems that I manage. happy to provide more debug and/or testing. Cheers -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1), LANGUAGE=en_AU (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages debsecan depends on: ii ca-certificates 20161130+nmu1 ii debconf [debconf-2.0] 1.5.61 ii python 2.7.13-2 ii python-apt 1.4.0~beta3 Versions of packages debsecan recommends: ii cron 3.0pl1-128+deb9u1 ii postfix [mail-transport-agent] 3.1.8-0+deb9u1 debsecan suggests no packages. -- debconf information: * debsecan/suite: stretch * debsecan/report: true * debsecan/mailto: root * debsecan/source:
