Hello, Today I was looking at "debsecan" for the first time. It has sent me a very long daily report containing entries such as:
CVE-2021-3695 A crafted 16-bit grayscale PNG image may lead to a... <https://security-tracker.debian.org/tracker/CVE-2021-3695> - grub-common, grub-pc, grub-pc-bin, grub2-common I'm having troulbe understanding why it is reporting things such as the above. Looking at the link provided, I see: Release Version Status bullseye 2.06-3~deb11u1 fixed I have newer versions installed: $ dpkg-query -l grub-common grub-pc grub-pc-bin grub2-common Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-==============-============-===================================================== ii grub-common 2.06-3~deb11u2 i386 GRand Unified Bootloader (common files) ii grub-pc 2.06-3~deb11u2 i386 GRand Unified Bootloader, version 2 (PC/BIOS version) ii grub-pc-bin 2.06-3~deb11u2 i386 GRand Unified Bootloader, version 2 (PC/BIOS modules) ii grub2-common 2.06-3~deb11u2 i386 GRand Unified Bootloader (common files for version 2) So why is debsecan reporting this as a security issue? This is a very old host that has been continually upgraded since Debian etch. At first debsecan included lots of complaints about removed packages from earlier releases that had been left around after doing dist-upgrade (Desired/Status='rc' in dpkg terms). I went through and purged all of those so I believe there's only bullseye packages remaining now, and that did reduce debsecan's output a lot, but I'm having trouble understanding why it still mentions things like the above. Any ideas? Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
