I got some really helpful comments on my recent post
Scan Linux for Vulnerable Packages. The suggestions on how to do it on Debian and Redhat made me wonder: which distributions provide tools and what are they capable of? So the goal is to check wether each distribution has a way to automatically check for vulnerable packages that need upgrades. Below you find an overview of the tools I've found and the distributions that might not have a good solution yet.
| Distribution | Scanner | Rating | Description |
|---|
| Debian | debsecan | superb | Easy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details. |
| Ubuntu | debsecan | useless | They just packaged the Debian scanner without providing a database for it! And since 2008 there is a bug about it being 100% useless. |
| CentOS Fedora Redhat | "yum list-security" | good | Provides package name and CVE number. Note: On older systems there is only "yum list updates". |
| OpenSuSE | "zypper list-patches" | ok | Provides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only. |
| SLES | "rug lu" | ok | Provides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself. |
| Gentoo | glsa-check | bad | There is a dedicated scanner, but no documentation. |
| FreeBSD | Portaudit | superb | No Linux? Still a nice solution... Lists vulnerable ports and vulnerability details. |
I know I didn't cover all Linux distributions and I rely on your comments for details I've missed. Ubuntu doesn't look good here, but maybe there will be some solution one day :-)