0
  1. May I know what are the meaning of 'fixed" and "obsolete" in debsecan of Ubuntu?

output of "debsecan --suite bookworm"
a) CVE-2024-xxxxx {Package Name} (fixed, obsolete)
b) CVE-2024-xxxxx {Package Name} (fixed)
c) CVE-2024-xxxxx {Package Name} (obsolete)

And is the vulnerability fixed?

$ debsecan --suite bookworm --format detail


CVE-2021-33061
  Insufficient control flow management for the Intel(R) 82599 Ethernet C ...
  installed: linux-headers-5.15.0-100-generic 5.15.0-100.110
             (built from linux 5.15.0-100.110)
             package is obsolete
  fixed in unstable: linux 5.18.2-1 (source package)


CVE-2021-33631
  Integer Overflow or Wraparound vulnerability in openEuler kernel on Li ...
  installed: linux-headers-5.15.0-102-generic 5.15.0-102.112
             (built from linux 5.15.0-102.112)
             package is obsolete
  fixed in unstable: linux 6.1.4-1 (source package)
  fixed on branch:   linux 4.19.282-1 (source package)
  fixed on branch:   linux 4.19.289-1 (source package)
  fixed on branch:   linux 4.19.289-2 (source package)
  fixed on branch:   linux 4.19.304-1 (source package)
  fixed on branch:   linux 4.19.316-1 (source package)
  fixed on branch:   linux 5.10.178-1 (source package)
  fixed on branch:   linux 5.10.179-1 (source package)
  fixed on branch:   linux 5.10.179-2 (source package)
  fixed on branch:   linux 5.10.179-3 (source package)
  fixed on branch:   linux 5.10.179-5 (source package)
  fixed on branch:   linux 5.10.191-1 (source package)
  fixed on branch:   linux 5.10.197-1 (source package)
  fixed on branch:   linux 5.10.205-1 (source package)
  fixed on branch:   linux 5.10.205-2 (source package)
  fixed on branch:   linux 5.10.209-1 (source package)
  fixed on branch:   linux 5.10.209-2 (source package)
  fixed on branch:   linux 5.10.215-1 (source package)
  fixed on branch:   linux 5.10.216-1 (source package)
  fixed on branch:   linux 5.10.218-1 (source package)
  fixed on branch:   linux 5.10.221-1 (source package)

Installed Package:

$ apt list --installed | fgrep linux-headers

linux-headers-5.15.0-100-generic/jammy-updates,jammy-security,now 5.15.0-100.110 amd64 [installed]
linux-headers-5.15.0-100/jammy-updates,jammy-security,now 5.15.0-100.110 all [installed]
linux-headers-5.15.0-102-generic/jammy-updates,jammy-security,now 5.15.0-102.112 amd64 [installed]
linux-headers-5.15.0-102/jammy-updates,jammy-security,now 5.15.0-102.112 all [installed]
linux-headers-5.15.0-113-generic/jammy-updates,jammy-security,now 5.15.0-113.123 amd64 [installed,automatic]
linux-headers-5.15.0-113/jammy-updates,jammy-security,now 5.15.0-113.123 all [installed,automatic]
linux-headers-5.15.0-118-generic/jammy-updates,jammy-security,now 5.15.0-118.128 amd64 [installed,automatic]
linux-headers-5.15.0-118/jammy-updates,jammy-security,now 5.15.0-118.128 all [installed,automatic]
linux-headers-5.15.0-97-generic/jammy-updates,jammy-security,now 5.15.0-97.107 amd64 [installed]
linux-headers-5.15.0-97/jammy-updates,jammy-security,now 5.15.0-97.107 all [installed]
linux-headers-generic/jammy-updates,jammy-security,now 5.15.0.118.118 amd64 [installed,automatic]
Improve this question

1 Answer 1

Reset to default
3

I’ll address your question further down, but it’s important to understand that debsecan shouldn’t be used on Ubuntu: its vulnerability data comes from Debian, not Ubuntu, so it doesn’t know about Ubuntu-specific security releases, and some package names are mismatched (especially kernels). See this issue for details; note that the workaround given there is no longer available, the corresponding repository was archived in 2021.

“Fixed” means that the vulnerability has been fixed, and that an updated package is available in the repositories. Running apt upgrade should apply the fix to your system.

“Obsolete” means that the package is no longer available; this usually means that it has been replaced by another package. The appropriate course of action is to ensure that the replacement package is used, and the obsolete package removed. This is explained in man debsecan:

If the correct --suite option is specified, debsecan may mark some packages as obsolete. This means that the binary package in question has been removed from the archive. In this case, you need to update all the packages depending on the obsolete package, and subsequently remove the obsolete package.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.