debsecan supports of proxmox packages?

juju42

New Member
Nov 24, 2024
2
0
1
Hello,
Not really a proxmox issue and maybe v7 only.
I have a Debian/Proxmox setup on which I have debsecan making daily report of packages that are vulnerable/fixed/can be patched.

Example partial output
*** Available security updates

CVE-2021-3997 A flaw was found in systemd. An uncontrolled...
<https://security-tracker.debian.org/tracker/CVE-2021-3997>
- libnss-systemd, libpam-systemd, libsystemd0, libudev1, systemd,
systemd-sysv, udev

CVE-2022-1304 An out-of-bounds read/write vulnerability was found...
<https://security-tracker.debian.org/tracker/CVE-2022-1304>
- e2fsprogs, libcom-err2, libext2fs2, libss2, logsave

CVE-2022-3821 An off-by-one Error issue was discovered in Systemd...
<https://security-tracker.debian.org/tracker/CVE-2022-3821>
- libnss-systemd, libpam-systemd, libsystemd0, libudev1, systemd,
systemd-sysv, udev

CVE-2022-4415 A vulnerability was found in systemd. This security...
<https://security-tracker.debian.org/tracker/CVE-2022-4415>
- libnss-systemd, libpam-systemd, libsystemd0, libudev1, systemd,
systemd-sysv, udev
but those are patched, just that the patchset ended with proxmox (+pmx) and not debian (+deb)...
For https://security-tracker.debian.org/tracker/CVE-2021-3997, it expects 247.3-7+deb11u5 or above and it has 247.3-7+1-pmx11u1

is there a reason for the change as not many packages are like this?
any way to make it work with debsecan (https://gitlab.com/fweimer/debsecan) which used data from https://security-tracker.debian.org/tracker/ ?
any other distribution which change those patchset name?
what packages are falling under different patchset? those tied to proxmox kernel, I suppose.

This comes from a proxmox 7 system for which packages are
$ dpkg -l | grep systemd
ii dbus-user-session 1.12.28-0+deb11u1 amd64 simple interprocess messaging system (systemd --user integration)
ii libnss-systemd:amd64 247.3-7+1-pmx11u1 amd64 nss module providing dynamic user and group name resolution
ii libpam-systemd:amd64 247.3-7+1-pmx11u1 amd64 system and service manager - PAM module
ii libsystemd0:amd64 247.3-7+1-pmx11u1 amd64 systemd utility library
ii proxmox-mini-journalreader 1.3-1 amd64 Minimal systemd Journal Reader
ii python3-systemd 234-3+b4 amd64 Python 3 bindings for systemd
ii systemd 247.3-7+1-pmx11u1 amd64 system and service manager
ii systemd-sysv 247.3-7+1-pmx11u1 amd64 system and service manager - SysV links
rc systemd-timesyncd 247.3-7+1-pmx11u1 amd64 minimalistic service to synchronize local time with NTP servers
$ dpkg -l | grep -E '[-+]pmx'
ii ifupdown2 3.1.0-1+pmx4 all Network Interface Management tool similar to ifupdown
ii libnss-systemd:amd64 247.3-7+1-pmx11u1 amd64 nss module providing dynamic user and group name resolution
ii libpam-systemd:amd64 247.3-7+1-pmx11u1 amd64 system and service manager - PAM module
ii libsystemd0:amd64 247.3-7+1-pmx11u1 amd64 systemd utility library
ii libudev1:amd64 247.3-7+1-pmx11u1 amd64 libudev shared library
ii systemd 247.3-7+1-pmx11u1 amd64 system and service manager
ii systemd-sysv 247.3-7+1-pmx11u1 amd64 system and service manager - SysV links
rc systemd-timesyncd 247.3-7+1-pmx11u1 amd64 minimalistic service to synchronize local time with NTP servers
ii udev 247.3-7+1-pmx11u1 amd64 /dev/ and hotplug management daemon


On proxmox 8
$ dpkg -l | grep systemd
ii dbus-user-session 1.14.10-1~deb12u1 amd64 simple interprocess messaging system (systemd --user integration)
ii libnss-systemd:amd64 252.31-1~deb12u1 amd64 nss module providing dynamic user and group name resolution
ii libpam-systemd:amd64 252.31-1~deb12u1 amd64 system and service manager - PAM module
ii libsystemd-shared:amd64 252.31-1~deb12u1 amd64 systemd shared private library
ii libsystemd0:amd64 252.31-1~deb12u1 amd64 systemd utility library
ii proxmox-mini-journalreader 1.4.0 amd64 Minimal systemd Journal Reader
ii python3-systemd 235-1+b2 amd64 Python 3 bindings for systemd
ii systemd 252.31-1~deb12u1 amd64 system and service manager
ii systemd-sysv 252.31-1~deb12u1 amd64 system and service manager - SysV compatibility symlinks
rc systemd-timesyncd 252.31-1~deb12u1 amd64 minimalistic service to synchronize local time with NTP servers
$ dpkg -l | grep -E '[-+]pmx'
ii grub-common 2.06-13+pmx2 amd64 GRand Unified Bootloader (common files)
ii grub-efi-amd64 2.06-13+pmx2 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.06-13+pmx2 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
ii grub-efi-amd64-signed 1+2.06+13+pmx2 amd64 GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian)
ii grub2-common 2.06-13+pmx2 amd64 GRand Unified Bootloader (common files for version 2)
ii ifupdown2 3.2.0-1+pmx11 all Network Interface Management tool similar to ifupdown
ii shim-helpers-amd64-signed 1+15.8+1+pmx1 amd64 boot loader to chain-load signed boot loaders (signed by Proxmox)
ii shim-signed:amd64 1.44+pmx1+15.8-1+pmx1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ii shim-signed-common 1.44+pmx1+15.8-1+pmx1 all Secure Boot chain-loading bootloader (common helper scripts)
ii shim-unsigned:amd64 15.8-1+pmx1 amd64 boot loader to chain-load signed boot loaders under Secure Boot

Thanks
 
Also misidentification for https://security-tracker.debian.org/tracker/CVE-2022-1304
vulnerable 1.46.2-2 vs fixed 1.46.2-2+deb11u1

and my proxmox7 system has 1.46.5-2~bpo11+2 which seems to be for backports as per https://tracker.debian.org/pkg/e2fsprogs. backport bug identified long ago "debsecan: Better report for backports" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470065

as for proxmox custom packages, not sure if plan/way to get them in https://security-tracker.debian.org/


For now, added an exception

Code:
$ sudo debsecan --add-whitelist CVE-2021-3997 CVE-2022-1304 CVE-2022-3821 CVE-2022-4415 CVE-2023-50387 CVE-2023-50868 CVE-2023-7008
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!