How can I reliably discover CVEs relating to installed packages

Question

I have a web application running on Ubuntu Server 18. One of its dependencies is Ghostscript. The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

What I'm looking for is a way of automatically detecting when a CVE is raised against a package. I had thought I could simply check the apt-get repository but all it can do is tell me if it has a newer version, not if there is a problem with the latest one it does have.

Is there some way of discovering if a version of a package has vulnerabilities from the command line? i.e. some command, or a public API or file I can build a script around?

Answer 1

The latest version I'm able to install via apt-get is 9.26, but I've learned that this version has a security issue.

That is both true and probably not quite the relevant truth.

Almost all major Linux distributions back port security updates. They reasons for backporting and the process is pretty well described on RedHat.com but is similar for Ubuntu. (Please read that whole article.) The short of it is that an older version number reported by the software itself does not automatically equate to insecure at all.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ghostscript And https://www.ghostscript.com/doc/9.55.0/News.htm

Both show a whole range of issues that are fixed in the latest Ghostscript release.

Do you need to update to Ghostscript 9.55 to fix all of those ?

No.

https://ubuntu.com/security/notices/USN-4686-1 shows that many vulnerabilities have been back ported and Ubuntu 18 is not vulnerable to the most recent CVE at all according to

https://ubuntu.com/security/cves?package=ghostscript

In general regularly applying security updates (for as long as your distribution is supported) will keep you secure.

Answer 2

You need debsecan.

debsecan analyzes the list of installed packages on the current host and reports vulnerabilities found on the system.