I got some really helpful comments on my recent post
Scan Linux for Vulnerable Packages. The suggestions on how to do it on Debian and Redhat made me wonder: which distributions provide tools and what are they capable of? So the goal is to check wether each distribution has a way to automatically check for vulnerable packages that need upgrades.
Below you find an overview of the tools I've found and the distributions that might not have a good solution yet.
| Distribution |
Scanner |
Rating |
Description |
| Debian |
debsecan |
superb |
Easy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details. |
| Ubuntu |
debsecan |
useless |
They just packaged the Debian scanner without providing a database for it!
And since 2008 there is a bug about it being 100% useless. |
| CentOS
Fedora
Redhat |
"yum list-security" |
good |
Provides package name and CVE number. Note: On older systems there is only "yum list updates". |
| OpenSuSE |
"zypper list-patches" |
ok |
Provides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only. |
| SLES |
"rug lu" |
ok |
Provides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself. |
| Gentoo |
glsa-check |
bad |
There is a dedicated scanner, but no documentation. |
| FreeBSD |
Portaudit |
superb |
No Linux? Still a nice solution... Lists vulnerable ports and vulnerability details. |
I know I didn't cover all Linux distributions and I rely on your comments for details I've missed.
Ubuntu doesn't look good here, but maybe there will be some solution one day :-)