Home Command line utilities How To Find Vulnerable Packages In Arch Linux

How To Find Vulnerable Packages In Arch Linux

By sk
Published: Last Updated on 918 views

Keeping your OS and all packages up-to-date is always a best practice. Since Arch Linux is a rolling release, the Arch users can able to get the fixes and software updates every few days than other fixed-release distributions. However, sometimes the users can't be able to update their Arch system due to insufficient Internet data or they just lazy to upgrade the system or they don't want to use update fearing it might break their system. If you don't update your Arch Linux often, you need to check it for vulnerabilities from time to time. So if there are any high risk vulnerabilities, you can immediately update the system. This is where Arch-audit tool comes in handy. It will help you to find the vulnerable packages in Arch Linux and its derivatives such Manjaro Linux.

Arch-audit is a an utility like pkg-audit based on Arch CVE (Common Vulnerabilities and Exposures) Monitoring Team data. The Arch CVE monitoring team (ACMT) is a group of volunteers to help identify and notify packages with security vulnerabilities in Arch Linux. The main goal of ACMT is to find bugs in all packages and notify the developers if there are any vulnerabilities. Please be mindful that the arch-audit utility won't find any vulnerabilities on its own. It will simply parse the https://security.archlinux.org/ page and display the results in the Terminal. It has nothing to do with any false results.

In this brief tutorial, we will see how to find vulnerable packages in Arch Linux using Arch-audit utility.

Find Vulnerable Packages In Arch Linux using Arch-audit

The arch-audit is available in the community repository. So, you can install it using pacman as shown below.

$ sudo pacman -S arch-audit

Once installed, run the following command to find vulnerable packages:

$ arch-audit

Sample output:

Package binutils is affected by CVE-2017-17126, CVE-2017-17125, CVE-2017-17124, CVE-2017-17123, CVE-2017-17122, CVE-2017-15996, CVE-2017-15025, CVE-2017-15024, CVE-2017-15023, CVE-2017-15022, CVE-2017-15021, CVE-2017-15020. High risk!
Package cairo is affected by CVE-2017-7475. Low risk!
Package emacs is affected by CVE-2017-1000383. Medium risk!
Package exiv2 is affected by CVE-2017-11592, CVE-2017-11591, CVE-2017-11553, CVE-2017-17725, CVE-2017-17724, CVE-2017-17723, CVE-2017-17722. Medium risk!
Package lib32-libxml2 is affected by CVE-2018-9251. Medium risk!
Package libffi is affected by CVE-2017-1000376. High risk!
Package libxml2 is affected by CVE-2018-9251. Medium risk!
Package linux is affected by CVE-2018-3646, CVE-2018-3620, CVE-2018-3615, CVE-2018-8897, CVE-2017-5753, CVE-2017-5715, CVE-2018-1121, CVE-2018-1120. High risk!
Package openssh is affected by CVE-2018-15473. Medium risk!
Package patch is affected by CVE-2018-6952, CVE-2018-6951, CVE-2018-1000156. High risk!
Package pcre is affected by CVE-2017-11164. Low risk!
Package podofo is affected by CVE-2017-7994, CVE-2017-7383, CVE-2017-7382, CVE-2017-7381, CVE-2017-7380, CVE-2017-7379, CVE-2017-7378, CVE-2017-6842, CVE-2017-6841, CVE-2017-6840. High risk!
Package systemd is affected by CVE-2018-6954. Medium risk!
Package unzip is affected by CVE-2018-1000035. Medium risk!
Package zsh is affected by CVE-2018-13259, CVE-2018-0502. Low risk!

As you noticed in the above output, there are many packages with low, medium and high risk.

To show only vulnerable package names and their versions, use -q flag as shown below:

$ arch-audit -q
binutils
cairo
emacs
exiv2
lib32-libxml2
libffi
libxml2
linux
openssh
patch
pcre
podofo
systemd
unzip
zsh

To show only packages that have already been fixed, use -u flag:

$ arch-audit -qu
bluez>=5.46-2
chromium>=61.0.3163.79-1
curl>=7.55-1
ffmpeg>=1:3.3.4-1
ffmpeg2.8>=2.8.13-1
flashplugin>=26.0.0.151-1
lib32-expat>=2.2.2-1
lib32-libgcrypt>=1.8.1-1
libgcrypt>=1.8.1-1
libsoup>=2.58.2-1
linux>=4.12.13-1
newsbeuter>=2.9-7
webkit2gtk>=2.16.6-1
xorg-server>=1.19.3-3

The above listed packages have already been fixed by the developers.

You need to update the highly-risk and critical-risk packages as soon as possible. However, I recommend you to update all of them by simply running the following command:

$ sudo pacman -Syu

For more details about arch-audit, refer man pages.

$ man arch-audit

Resource:

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More