labunix's blog

labunixのラボUnix

Debian Wheezyのセキュリティ情報の取得(DSA/CVE/クリティカルバグ) 

■私の環境では起動時に以下で最新にしている。
 「-f」は「--fix-broken」

# for list in update upgrade autoremove autoclean;do \
    apt-get $opt -y -f; \
  done

■DSAの更新状況はシステムメールでメール通知もされる。
 2年前から運用していて特に問題も無く使えている。

 labunix / debian_security.sh
 https://gist.github.com/labunix/2781338

 Debianセキュリティ情報の更新をシステムメールで通知する
 http://d.hatena.ne.jp/labunix/20120524

■でもたまにまとめて見たい時がある。
 例えば、2014年の現時点でのDSAの一覧

$ w3m -dump "https://www.debian.org/security/2014/" | grep "\[2014"
[2014-06-12] DSA-2958 apt - security update
[2014-06-12] DSA-2957 mediawiki - security update
[2014-06-11] DSA-2956 icinga - security update
[2014-06-11] DSA-2955 iceweasel - security update
[2014-06-09] DSA-2954 dovecot - security update
[2014-06-08] DSA-2953 dpkg - security update
[2014-06-05] DSA-2952 kfreebsd-9 - security update
[2014-06-05] DSA-2951 mupdf - セキュリティ更新
[2014-06-05] DSA-2950 openssl - セキュリティ更新
[2014-06-05] DSA-2949 linux - セキュリティ更新
[2014-06-04] DSA-2948 python-bottle - セキュリティ更新
[2014-06-04] DSA-2947 libav - セキュリティ更新
[2014-06-04] DSA-2946 python-gnupg - セキュリティ更新
[2014-06-03] DSA-2945 chkrootkit - セキュリティ更新
[2014-06-01] DSA-2944 gnutls26 - セキュリティ更新
[2014-06-01] DSA-2943 php5 - セキュリティ更新
[2014-06-01] DSA-2942 typo3-src - セキュリティ更新
[2014-06-01] DSA-2941 lxml - セキュリティ更新
[2014-05-31] DSA-2939 chromium-browser - セキュリティ更新
[2014-05-27] DSA-2938 - Debian 6.0 / squeeze 向け LTS サポートが利用できるよう
[2014-05-27] DSA-2937 mod-wsgi - セキュリティ更新
[2014-05-23] DSA-2936 torque - セキュリティ更新
[2014-05-21] DSA-2935 libgadu - セキュリティ更新
[2014-05-19] DSA-2934 python-django - セキュリティ更新
[2014-05-19] DSA-2933 qemu-kvm - セキュリティ更新
[2014-05-19] DSA-2932 qemu - セキュリティ更新
[2014-05-18] DSA-2931 openssl - セキュリティ更新
[2014-05-17] DSA-2930 chromium-browser - セキュリティ更新
[2014-05-16] DSA-2929 ruby-actionpack-3.2 - セキュリティ更新
[2014-05-14] DSA-2928 linux-2.6 - 特権の昇格/サービス拒否/情報漏洩
[2014-05-13] DSA-2927 libxfont - セキュリティ更新
[2014-05-12] DSA-2926 linux - セキュリティ更新
[2014-05-08] DSA-2925 rxvt-unicode - セキュリティ更新
[2014-05-05] DSA-2924 icedove - セキュリティ更新
[2014-05-05] DSA-2923 openjdk-7 - セキュリティ更新
[2014-05-05] DSA-2922 strongswan - セキュリティ更新
[2014-05-04] DSA-2921 xbuffy - セキュリティ更新
[2014-05-03] DSA-2920 chromium-browser - セキュリティ更新
[2014-05-03] DSA-2919 mysql-5.5 - セキュリティ更新
[2014-04-30] DSA-2918 iceweasel - セキュリティ更新
[2014-04-28] DSA-2917 super - セキュリティ更新
[2014-04-28] DSA-2916 libmms - セキュリティ更新
[2014-04-28] DSA-2915 dpkg - セキュリティ更新
[2014-04-25] DSA-2914 drupal6 - セキュリティ更新
[2014-04-25] DSA-2913 drupal7 - セキュリティ更新
[2014-04-24] DSA-2912 openjdk-6 - セキュリティ更新
[2014-04-22] DSA-2911 icedove - セキュリティ更新
[2014-04-18] DSA-2910 qemu-kvm - セキュリティ更新
[2014-04-18] DSA-2909 qemu - セキュリティ更新
[2014-04-17] DSA-2908 openssl - セキュリティ更新
[2014-04-16] DSA-2907 - Debian 旧安定版の長期サポート告知
[2014-04-24] DSA-2906 linux-2.6 - 特権の昇格/サービス拒否/情報漏洩
[2014-04-15] DSA-2905 chromium-browser - セキュリティ更新
[2014-04-15] DSA-2904 virtualbox - セキュリティ更新
[2014-04-14] DSA-2903 strongswan - セキュリティ更新
[2014-04-13] DSA-2902 curl - セキュリティ更新
[2014-04-12] DSA-2901 wordpress - セキュリティ更新
[2014-04-10] DSA-2900 jbigkit - セキュリティ更新
[2014-04-09] DSA-2899 openafs - セキュリティ更新
[2014-04-09] DSA-2898 imagemagick - セキュリティ更新
[2014-04-08] DSA-2897 tomcat7 - セキュリティ更新
[2014-04-07] DSA-2896 openssl - セキュリティ更新
[2014-04-06] DSA-2895 prosody - セキュリティ更新
[2014-04-05] DSA-2894 openssh - セキュリティ更新
[2014-03-31] DSA-2893 openswan - セキュリティ更新
[2014-03-31] DSA-2892 a2ps - セキュリティ更新
[2014-03-30] DSA-2891 mediawiki, mediawiki-extensions - セキュリティ更新
[2014-03-29] DSA-2890 libspring-java - セキュリティ更新
[2014-03-28] DSA-2889 postfixadmin - セキュリティ更新
[2014-03-27] DSA-2888 ruby-actionpack-3.2 - セキュリティ更新
[2014-03-27] DSA-2887 ruby-actionmailer-3.2 - セキュリティ更新
[2014-03-26] DSA-2886 libxalan2-java - セキュリティ更新
[2014-03-26] DSA-2885 libyaml-libyaml-perl - セキュリティ更新
[2014-03-26] DSA-2884 libyaml - セキュリティ更新
[2014-03-23] DSA-2883 chromium-browser - セキュリティ更新
[2014-03-20] DSA-2882 extplorer - セキュリティ更新
[2014-03-19] DSA-2881 iceweasel - セキュリティ更新
[2014-03-17] DSA-2880 python2.7 - セキュリティ更新
[2014-03-13] DSA-2879 libssh - セキュリティ更新
[2014-03-13] DSA-2878 virtualbox - セキュリティ更新
[2014-03-12] DSA-2877 lighttpd - セキュリティ更新
[2014-03-12] DSA-2876 cups - セキュリティ更新
[2014-03-12] DSA-2875 cups-filters - セキュリティ更新
[2014-03-12] DSA-2874 mutt - セキュリティ更新
[2014-03-11] DSA-2873 file - 複数の脆弱性
[2014-03-10] DSA-2872 udisks - 複数の脆弱性
[2014-03-10] DSA-2871 wireshark - 複数の脆弱性
[2014-03-08] DSA-2870 libyaml-libyaml-perl - ヒープベースのバッファオーバーフロ
[2014-03-03] DSA-2869 gnutls26 - 証明書検証の誤り
[2014-03-02] DSA-2868 php5 - サービス拒否
[2014-02-23] DSA-2867 otrs2 - 複数の脆弱性
[2014-02-22] DSA-2866 gnutls26 - 証明書検証の欠陥
[2014-02-20] DSA-2865 postgresql-9.1 - 複数の脆弱性
[2014-02-20] DSA-2864 postgresql-8.4 - 複数の脆弱性
[2014-02-18] DSA-2863 libtar - ディレクトリトラバーサル
[2014-02-16] DSA-2862 chromium-browser - 複数の脆弱性
[2014-02-16] DSA-2861 file - サービス拒否
[2014-02-11] DSA-2860 parcimonie - 情報漏洩
[2014-02-10] DSA-2859 pidgin - 複数の脆弱性
[2014-02-10] DSA-2858 iceweasel - 複数の脆弱性
[2014-02-08] DSA-2857 libspring-java - 複数の脆弱性
[2014-02-07] DSA-2856 libcommons-fileupload-java - サービス拒否
[2014-02-05] DSA-2855 libav - 複数の脆弱性
[2014-02-05] DSA-2854 mumble - 複数の脆弱性
[2014-02-05] DSA-2853 horde3 - リモートからのコードの実行
[2014-02-06] DSA-2852 libgadu - ヒープベースのバッファオーバーフロー
[2014-02-02] DSA-2851 drupal6 - impersonation
[2014-01-31] DSA-2850 libyaml - ヒープベースのバッファオーバーフロー
[2014-01-31] DSA-2849 curl - 情報漏洩
[2014-01-23] DSA-2848 mysql-5.5 - 複数の脆弱性
[2014-01-20] DSA-2847 drupal7 - 複数の脆弱性
[2014-01-17] DSA-2846 libvirt - 複数の脆弱性
[2014-01-17] DSA-2845 mysql-5.1 - 複数の脆弱性
[2014-01-15] DSA-2844 djvulibre - 任意のコードの実行
[2014-01-13] DSA-2843 graphviz - バッファオーバーフロー
[2014-01-13] DSA-2842 libspring-java - サービス拒否
[2014-01-11] DSA-2841 movabletype-opensource - クロスサイトスクリプティング
[2014-01-10] DSA-2840 srtp - バッファオーバーフロー
[2014-01-08] DSA-2839 spice - サービス拒否
[2014-01-07] DSA-2838 libxfont - バッファオーバーフロー
[2014-01-07] DSA-2837 openssl - プログラミングの誤り
[2014-01-05] DSA-2836 devscripts - 任意のコードの実行
[2014-01-05] DSA-2835 asterisk - バッファオーバーフロー
[2014-01-01] DSA-2834 typo3-src - 複数の脆弱性
[2014-01-01] DSA-2833 openssl - 複数の脆弱性
[2014-01-01] DSA-2832 memcached - 複数の脆弱性

■DSAはCVE互換なので、DSAに紐付いたCVEのURLの一覧を取得できる。

 Debian と CVE の互換性
 https://www.debian.org/security/cve-compatibility

■20146月のDSAに対するCVEのリストを取得。
 ひとつのDSAに複数のCVEを含む場合は、同じDSAが繰り返し出力される。

 18件のDSAで32件分のCVEに対応していることが分かる。

$ w3m -dump "https://www.debian.org/security/2014/" | grep "\[2014-06"  | awk '{sum+=1;print $0};END{print sum}'
[2014-06-12] DSA-2958 apt - security update
[2014-06-12] DSA-2957 mediawiki - security update
[2014-06-11] DSA-2956 icinga - security update
[2014-06-11] DSA-2955 iceweasel - security update
[2014-06-09] DSA-2954 dovecot - security update
[2014-06-08] DSA-2953 dpkg - security update
[2014-06-05] DSA-2952 kfreebsd-9 - security update
[2014-06-05] DSA-2951 mupdf - セキュリティ更新
[2014-06-05] DSA-2950 openssl - セキュリティ更新
[2014-06-05] DSA-2949 linux - セキュリティ更新
[2014-06-04] DSA-2948 python-bottle - セキュリティ更新
[2014-06-04] DSA-2947 libav - セキュリティ更新
[2014-06-04] DSA-2946 python-gnupg - セキュリティ更新
[2014-06-03] DSA-2945 chkrootkit - セキュリティ更新
[2014-06-01] DSA-2944 gnutls26 - セキュリティ更新
[2014-06-01] DSA-2943 php5 - セキュリティ更新
[2014-06-01] DSA-2942 typo3-src - セキュリティ更新
[2014-06-01] DSA-2941 lxml - セキュリティ更新
18

$ w3m -dump "https://www.debian.org/security/2014/" | \
    grep "\[2014-06" | awk '{print $2}' | \
    tr '[A-Z]' '[a-z]' | \
    for list in `xargs`;do \
      wget -O - "https://www.debian.org/security/2014/${list}" 2> /dev/null | \
      grep "tracker\/CVE" | sed s%".*href=\""%%g | \
      awk -F\" '{print "'${list}',"$1}'; \
    done | awk '{sum+=1;print $0};END{print sum}'
dsa-2958,https://security-tracker.debian.org/tracker/CVE-2014-0478
dsa-2957,https://security-tracker.debian.org/tracker/CVE-2014-3966
dsa-2956,https://security-tracker.debian.org/tracker/CVE-2014-2386
dsa-2955,https://security-tracker.debian.org/tracker/CVE-2014-1545
dsa-2954,https://security-tracker.debian.org/tracker/CVE-2014-3430
dsa-2953,https://security-tracker.debian.org/tracker/CVE-2014-3865
dsa-2952,https://security-tracker.debian.org/tracker/CVE-2014-3880
dsa-2952,https://security-tracker.debian.org/tracker/CVE-2014-1453
dsa-2952,https://security-tracker.debian.org/tracker/CVE-2014-3000
dsa-2952,https://security-tracker.debian.org/tracker/CVE-2014-3880
dsa-2951,https://security-tracker.debian.org/tracker/CVE-2014-2013
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-3470
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-0195
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-0221
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-0224
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-3470
dsa-2950,https://security-tracker.debian.org/tracker/CVE-2014-3153
dsa-2949,https://security-tracker.debian.org/tracker/CVE-2014-3153
dsa-2949,https://security-tracker.debian.org/tracker/CVE-2014-3144
dsa-2949,https://security-tracker.debian.org/tracker/CVE-2014-3145
dsa-2949,https://security-tracker.debian.org/tracker/CVE-2014-3153
dsa-2948,https://security-tracker.debian.org/tracker/CVE-2014-3137
dsa-2946,https://security-tracker.debian.org/tracker/CVE-2014-1929
dsa-2945,https://security-tracker.debian.org/tracker/CVE-2014-0476
dsa-2944,https://security-tracker.debian.org/tracker/CVE-2014-3466
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-2270
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-0185
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-0185
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-0237
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-0238
dsa-2943,https://security-tracker.debian.org/tracker/CVE-2014-2270
dsa-2941,https://security-tracker.debian.org/tracker/CVE-2014-3146
32

■Webを使ってクリティカルな修正のバグ番号とパッケージの一覧を取得

$ w3m -dump "https://bugs.debian.org/severity:critical" | \
    grep "#[0-9]* " | awk -F\[ '{print $1,$3}' | awk -F\] '{print $1}' | \
    sort -n -k 1#504099  gnu-fdisk#516394  djbdns#621786  mdadm#622230  unscd#635297  mt-daapd#666018  grub-efi-amd64#682993  grub-pc#702889  afpfs-ng#705124  linux-image-2.6.32-5-xen-amd64#706330  gtk3-engines-unico#706482  gcc-msp430#706484  logrotate#706877  insserv#707831  grub-pc#713994  xfsprogs#717536  phoronix-test-suite#717716  libpam-tacplus#721303  udisks#723957  slapd#724712  bootlogd#727073  ifupdown#727149  src:linux#728312  libpam-gnome-keyring#730487  libxdg-basedir1#732047  inn2#732939  src:linux#733059  gnome-screensaver#733762  cdrom#734908  gcr#735935  grub-common#737018  pypy#737396  kscreensaver#737613  xen-hypervisor-4.3-amd64#738122  nut#738493  liblwpx-paranoidagent-perl#739989  src:debian-installer-utils#740456  lvm2#740462  bluetooth#740509  freebsd-net-tools#741464  grub-pc-bin#741557  libapache2-mod-gnutls#741726  src:grub2#744215  wvdial#745272  nagios-nrpe-server#747506  src:openjdk-6#747532  iceowl-extension#747670  cryptsetup#748173  grub-efi-amd64#748314  kde-runtime-data#748574  src:linux#748910  libapache2-mod-wsgi#749016  src:linux#749215  typo3-src#750221  mandos-client#750445  src:linux#750539  libgnutls28#750909  src:systemd#750952  netselect-apt#751488  initramfs-tools

■querybtsで一行説明を取得。
 CVEでは無いCriticalバグの修正も多い。

$  dpkg -l reportbug | grep ^ii >/dev/null || \
     sudo apt-get install -y reportbug && \
     w3m -dump "https://bugs.debian.org/severity:critical" | \
       grep "#[0-9]* " | awk -F\[ '{print $1}' | sed s/".*#"/"#"/g | \
       xargs querybts -b -u text --proxy=http://localhost:8080/
#750539  CVE-2014-3466: gnutls 3.3.2 (in experimental) still vulnerable to GNUTLS-SA-2014-3
#732939  linux-image-3.11-2-686-pae: Data corruption with ASMedia ASM1061 SATA IDE Controller in AHCI-Mode
#741726  grub: generated grub.cfg leads to non booting system. Drops to rescue shell after not finding root device.
#666018  grub-efi-amd64: fails to boot linux with initrd
#706482  gcc-msp430: generated interrupt table for MSP430FR5xxx parts will blow security fuse
#750952  netselect-apt: netselect choose inexistant mirrors - (dash)
#732047  Purging inn2 destroys /var/lib/news even if inn2-lfs is installed
#717716  libpam-tacplus: installing libpam-tacplus makes system inaccessible
#516394  [security]: Rapid DNS Poisoning in dnscache
#724712  compressed logs not purged
#727149  linux-image-3.10-3-amd64: Network adapter (Intel 82579V) hangs during TX, causing reset and undetected data corruption at the other side
#706484  racy creation of logrotate.state file causing lost logfiles
#741557  libapache2-mod-gnutls: apache will not start if mod_authnz_ldap is loaded before mod_gnutls
#702889  Passes literal struct instead of pointer-to-struct
#748314  kde-runtime-data: kuiserver parse initrd at each kde startup
#740456  LVM operations returns: [vectors]: munlock failed: Cannot allocate memory
#682993  grub-pc: grub-probe reports wrong UUID for md raid1 device
#727073  ifupdown: current version somehow brings the ifaces up too late
#749215  TYPO3-CORE-SA-2014-001: Multiple Vulnerabilities in TYPO3 CMS
#621786  mdadm: invalid pointer or memory corruption on armel system when accessing mtdblock devices
#706330  Some applications segfaults after upgrade to 3.8.0-1
#728312  libpam-gnome-keyring: does not properly kill gnome-keyring-daemon before exit, race condition causes pam umount fail
#738493  liblwpx-paranoidagent-perl: can't verify hostnames
#730487  libxdg-basedir: Writing beyond allocated buffer
#734908  gcr-prompter steals all focus
#622230  unscd is more noisy than nscd while invalidating caches
#504099  gnu-fdisk: fails to display GPT partition properly
#748910  CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode
#740509  ifconfig: ioctl(SIOCGIFINFO_IN6): No such device or address
#713994  xfsprogs: Failure to allocate new space, potentially after an xfs_grow, to existing files
#735935  grub2: LVM trouble at boot with several PVs
#751488  initramfs-tools: Shell spawned despite panic=0
#733059  gnome-screensaver not working on all gnome-sessions
#748173  grub-efi-amd64: Boot failure after upgrade to 2.02~beta2-10
#738122  nut: riello_usb fills up /var/log filesystem
#750445  Cannot enumerate USB device in AMD64 wheezy or jessie - AMD 970 Northbridge
#749016  linux-image-3.14-1-amd64: initrd generated under 3.14-1 v3.14.4-1 does not load sd_mod, boot fails
#721303  udisks: breaks LVM and deadlocks LVM related IO to system [SEC=UNCLASSIFIED]
#705124  ext3 fs corruption in squeeze PV domain under wheezy Xen
#750909  systemd: breaks a big part of my system
#635297  mt-daapd: Firefly starts up with a default admin password
#745272  nagios-nrpe: CVE-2014-2913: Remote command execution
#737018  pypy: Fails to install on i386 without SSE2
#707831  Broken UUID detection code makes LVM systems unbootable after adding a new PV
#747506  openjdk-6: cannot load libsikuli-script-java any more
#717536  phoronix-test-suite: installs software from outside debian
#737613  xen-hypervisor-4.3-amd: Xen not loading dom0 on Jessie - FATAL error on running /etc/init.d/xen
#748574  3.14.1 does not boot on Dell server
#740462  bluetooth: Connecting Apple magic trackpad hangs system
#747532  iceowl-extension: aptitude dist-upgrade fails due to wrong use of Conflicts:
#741464  grub-pc-bin: hangs after displaying boot menu
#750221  mandos-client needs dpkg-architecture but does not depend on dpkg-dev
#739989  debian-installer-utils: log-output change breaks speech synthesis
#744215  wvdial: Segmentation fault during modem initialization
#747670  cryptsetup should depend on a version of cryptsetup-bin that support --type option
#733762  cdrom: installing base system fails on corrupt/truncated /var/lib/dpkg/status (BD-DL 7.3.0)
#706877  insserv: breaks dist-upgrade by installing before packages fix their init scripts
#737396  kscreensaver: locked screen allows any password if a third session (vt9) is also active
#723957  slapd: commented olcDbDirectory config line causes unusable system and potential data loss on upgrade