我有一个最新的 debian stable (bullseye) 安装,包括debian-security:
$ cat /etc/apt/sources.list
deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb http://security.debian.org/debian-security bullseye-security main contrib non-free
deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://security.debian.org/debian-security/ bullseye-security main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free
当我运行时,我很惊讶地看到如此多的 CVE 被修复debsecan:
$ debsecan --suite bullseye --only-fixed | wc -l
310
我查看了一些软件包,发现我已经安装了固定版本。在这种情况下,libc-bin 2.31-13+deb11u4似乎已修复 CVE-2021-33574。我已经+deb11u5安装了,所以我不明白为什么这个 CVE 在我的系统上被标记。
$ debsecan --suite bullseye --only-fixed --format detail
CVE-2021-33574 (fixed)
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 ...
installed: libc-bin 2.31-13+deb11u5
(built from glibc 2.31-13+deb11u5)
fixed in unstable: glibc 2.32-1 (source package)
fixed on branch: glibc 2.28-10+deb10u2 (source package)
fixed on branch: glibc 2.31-13+deb11u3 (source package)
fixed on branch: glibc 2.31-13+deb11u4 (source package)
fixed on branch: glibc 2.32-0experimental0 (source package)
fix is available for the selected suite (bullseye)
这是误报,还是我对这些结果的解释错误?
这个问题不仅仅适用于固定包。在这种情况下,我已安装,但xxd已修复。在这种情况下,修复是否会应用于,并同时跳过?8.1.0875-5+deb10u48.2.2434-3+deb11u1unstabletestingoldstablestable
$ debsecan --suite bullseye | wc -l
2102
$ debsecan --suite bullseye --format detail
CVE-2022-3324
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...
installed: xxd 2:8.2.2434-3+deb11u1
(built from vim 2:8.2.2434-3+deb11u1)
fixed in unstable: vim 2:9.0.0626-1 (source package)
fixed on branch: vim 2:8.1.0875-5+deb10u3 (source package)
fixed on branch: vim 2:8.1.0875-5+deb10u4 (source package)
$