Raspberry Pi OS • debsecan and RPi specific packages

Hi, I'd like to use the debsecan tool to keep me updated about open security issues and available fixes. I tried it and it works almost as expected i.e. almost the same as on a vanilla debian system. But there seems to be one problem. When a package has a RPi specific version, as indicated by the +rpt1+ substring in the version suffix, debsecan seems to warn about vulnerabilities in the package even if they have been fixed in the underlying pure debian version -- the one with +rpt1+ removed.

As an example, consider the package libbluetooth3 as it exists now in the bookworm release, which is version 5.66-1+rpt1+deb12u2. When I run debsecan --suite bookworm it includes vulnerability CVE-2023-27349 in its report. But then, looking this up on security-tracker.debian.org, I learn that this is fixed in the debian version 5.66-1+deb12u2 -- and so, I presume it is already fixed in the corresponding RPi version as well.

Am I making sense so far? If my understanding above is correct, this would make debsecan not very useful for me after all because I would have to look at each package changelog after upgrades to track the issues, which is already what I do now ...

So my questions are:

• * do I have the facts correct above?
  * is this basically a bug in debsecan that ought to be fixed?
  * is there an automated workaround now?

Statistics: Posted by nobrowser — Sun Nov 10, 2024 4:12 am

---