I got some really helpful comments on my recent post Scan Linux for Vulnerable Packages
. The suggestions on how to do it on Debian and Redhat made me wonder: which distributions provide tools and what are they capable of? So the goal is to check wether each distribution has a way to automatically check for vulnerable packages that need upgrades.
Below you find an overview of the tools I've found and the distributions that might not have a good solution yet.
||Easy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details.
||They just packaged the Debian scanner without providing a database for it!
And since 2008 there is a bug about it being 100% useless.
||Provides package name and CVE number. Note: On older systems there is only "yum list updates".
||Provides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only.
||Provides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself.
||There is a dedicated scanner, but no documentation.
||No Linux? Still a nice solution... Lists vulnerable ports and vulnerability details.
I know I didn't cover all Linux distributions and I rely on your comments for details I've missed.
Ubuntu doesn't look good here, but maybe there will be some solution one day :-)