Back

@teleclimber

Not just automated scanners: organizations that claim to have security expertise who run their automated scanners and then believe them without investigating whether or not the claimed vulnerabilities are real.

And yes, particularly this CVE.

@teleclimber I had this issue a lot at a previous workplace where we subscribed to automated scanning. Indeed we used Debian but not exclusively, I _think_ they failed on the few other Linuxes we had too.

SecurityScorecard was the name of the service used.

@teleclimber it's pretty much what we get out of rapid7 for every single backported fix in Rocky. To the point of making r7 completely useless for non-windows stuff.

@teleclimber Yes. Most security scanners (Pentesters) are that stupid.

I speak from experience, trying to tell customers that just because it said the server they installed have a vulnerable version of something or other installed, that's not actually the case.

The ones that *actually* try to break stuff (like using known issues, fuzzing input and such) are great, though. Use those.

@teleclimber

It's been a while since I've been involved in vuln mgmt, but yes, used to see this all the time on Redhat, because Redhat also backports security patches like that.

@teleclimber Yes, this is a common problem, because Debian Security only patches the specific error, without updating the version number.

Search the package changelog for the CVE number to verify that it's a fixed problem, and mark the issue as a false positive in the security scanner or somehow tell it to ignore the issue.

@teleclimber Yes, the CVE database has no information on distribution-specific versions, only upstream versions, so false positives are normal for automated vulnerability scanners.

There was a recent episode of the @LateNightLinux podcast 2.5 admins where this was discussed a bit more. It might have been this one: 2.5admins.com/2-5-admins-235/

@troed