OnWorks favicon

debsecan - Online in the Cloud

Run debsecan in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command debsecan that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



debsecan - Debian Security Analyzer


debsecan options...


debsecan analyzes the list of installed packages on the current host and reports
vulnerabilities found on the system.


--suite count
Choose a specific suite. debsecan produces more informative output (including
obsolete packages) if the correct suite is specified. The release code name has to
be used ("sid"), not the temporal name ("unstable").

--whitelist file
Change the name of the whitelist file.

--add-whitelist, --remove-whitelist, --show-whitelist
Add or remove entries from the whitelist, or print the whitelist to standard
output. See the CHANGING THE WHITELIST section below.

--source url
Override the default download URL for vulnerability data.

--status file
Evaluate a different dpkg status file.

--format format
Change the output format. If format is summary (the default), a short summary for
each vulnerability is printed. The simple format is like the summary format,
except that only the bug packages names are printed. For bugs and packages,
debsecan lists the names of vulnerabilities and binary packages, respectively.
--format detail requests a verbose output format, showing all available data. The
report format is used for email reports.

--line-length characters
Specifies the line length in report mode. The default is 72.

--mailto mailbox
The --mailto option instructions debsecan to the send the report to the email
address mailbox. No report is sent if there where no changes since the last
invocation with --update-history. This option requires the --format report output
format. The option value may contain macros, see the section CONFIGURATION FILE
MACROS below.

Only list vulnerabilities for which a fix is available in the archive. Note that
it can happen that a fix is listed, although the package has not been built for the
system's architecture and is not yet available for download. (If you use this
option, you also must specify the correct suite using --suite.)

Do not list any obsolete packages (see below). Using this option is not
recommended because it hides real vulnerabilities on some systems, not just false

--history file
Change the name of the history file used by --format report.

Turn off certificate validation for HTTPS.

Update the vulnerability status information after reporting it using --format

--cron Internal option used for invocations from cron. Checks if the vulnerability data
has already been downloaded today. In this case, further processing is skipped.
See debsecan-create-cron(8) for instructions how to create a suitable cron entry.

--config file
Sets the location of the configuration file.

--help Display a short help message and exit.

Display version information and exit.


The configuration file contains the following variables. It follows name=value shell
syntax. If value contains white space, it must be surrounded by double quotes. Some
variables may contain macros; see the section CONFIGURATION FILE MACROS below.

MAILTO Sets the email address to which reports are sent in --cron mode. May contain

REPORT Controls whether debsecan does any processing whatsoever in --cron mode.
(Permitted values: true and false.)

SOURCE Controls the URL from which vulnerability information is fetched. If empty, the
built-in default is used.

SUITE Sets the default value of the --suite option (see there).

Changes the subject line of reports. May contain macros.

Disables HTTPS certificate checking, just like the --disable-https-check command
line option.


Macro processing replaces strings of the form %s(key)s with system-dependent values.
Support keys are:

The host name on which debsecan runs, without the domain name part.

fqdn The fully-qualified domain name of the host on which debsecan runs.

ip The IP address of the host on which debsecan runs. This may be inaccurate on
multi-homed systems.


You can use the --add-whitelist and --remove-whitelist options to change the whitelist.
Whitelisted vulnerabilities are not included in the reports. For example,

debsecan --add-whitelist CVE-2005-4601

ignores the vulnerability CVE-2005-4601 completely, while

debsecan --add-whitelist CVE-2005-4601 perlmagick

ignores it only as far as the perlmagick is concerned. (This is the same format that is
produced by the --format simple option.) To remove all whitelist entries for the
CVE-2005-4601 vulnerability, use:

debsecan --remove-whitelist CVE-2005-4601

If you want to remove an entry for a specific vulnerability/package pair, list the package
name explicitly, as in:

debsecan --remove-whitelist CVE-2005-4601 imagemagick

You can list multiple vulnerability and packages. For example,

debsecan --add-whitelist CVE-2005-4601 \
CVE-2006-0082 imagemagick perlmagick

whitelists CVE-2005-4601 for all packages, and CVE-2006-0082 for the imagemagick and
perlmagick packages only.


Much like the official Debian security advisories, debsecan's vulnerability tracking is
mostly based on source packages. This can be confusing because tools like dpkg only
display binary package names. Therefore, debsecan displays the more familiar binary
package names. This has the unfortunate effect that all binary packages (including
packages containing only documentation, for example) are flagged as vulnerable, and not
only those packages which actually contain the vulnerable code.

If the correct --suite option is specified, debsecan may mark some packages as obsolete.
This means that the binary package in question has been removed from the archive. In this
case, you need to update all the packages depending on the obsolete package, and
subsequently remove the obsolete package.

For certain architectures, build daemons may lag considerably. In such case, debsecan may
incorrectly mark a package as fixed, even if an update is not yet available in the Debian

Note that debsecan version uses the --suite option only to determine the availability of
corrected packages and to detect obsolete packages. If you specify the wrong suite, only
the information on available security updates and obsolete packages is wrong, but the list
of vulnerabilities is correct.

Mixing packages from different Debian releases is supported, as long as the packages still
carry their official version numbers. Unknown package versions (from backported packages,
for example) are compared to the version in Debian unstable only, which may lead to
incorrect reports.


This command prints all package names for which security fixes are available:

debsecan --suite suite --format packages --only-fixed

If you pass this output to apt-get, you can download new packages which contain security
fixes. For example, if you are running sid:

apt-get install \
$(debsecan --suite sid --format packages --only-fixed)

The following command can be invoked periodically, to get notifications of new security

debsecan --suite suite --format report \
--update-history --mailto root

See debsecan-create-cron(8) for a tool which creates a suitable cron entry.


This environment variable instructs debsecan to use a proxy server to fetch the
vulnerability data. It must be of the form http://proxy.example.net:8080/
(mimicking a URL).

Use debsecan online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    Fork of TeamWinRecoveryProject(TWRP)
    with many additional functions, redesign
    and more Features:Supports Treble and
    non-Treble ROMsUp-to-date Oreo kernel,
    Download OrangeFox
  • 2
    itop - ITSM  CMDB OpenSource
    itop - ITSM CMDB OpenSource
    IT Operations Portal: a complete open
    source, ITIL, web based service
    management tool including a fully
    customizable CMDB, a helpdesk system and
    a document man...
    Download itop - ITSM CMDB OpenSource
  • 3
    Clementine is a multi-platform music
    player and library organizer inspired by
    Amarok 1.4. It has a fast and
    easy-to-use interface, and allows you to
    search and ...
    Download Clementine
  • 4
    ATTENTION: Cumulative update 2.4.3 has
    been released!! The update works for any
    previous 2.x.x version. If upgrading
    from version v1.x.x, please download and
    Download XISMuS
  • 5
    Modular headtracking program that
    supports multiple face-trackers, filters
    and game-protocols. Among the trackers
    are the SM FaceAPI, AIC Inertial Head
    Tracker ...
    Download facetracknoir
  • 6
    PHP QR Code
    PHP QR Code
    PHP QR Code is open source (LGPL)
    library for generating QR Code,
    2-dimensional barcode. Based on
    libqrencode C library, provides API for
    creating QR Code barc...
    Download PHP QR Code
  • 7
    Cuckoo Sandbox
    Cuckoo Sandbox
    Cuckoo Sandbox uses components to
    monitor the behavior of malware in a
    Sandbox environment; isolated from the
    rest of the system. It offers automated
    analysis o...
    Download Cuckoo Sandbox
  • More »

Linux commands

  • 1
    rsbac-admin - Rule Set Based Access
    Control DESCRIPTION: rsbac-admin is a
    set of tool used to manage systems using
    a Rule Set Based Access Control (RSBAC)
    Run acl_gran
  • 2
    rsbac-admin - Rule Set Based Access
    Control DESCRIPTION: rsbac-admin is a
    set of tool used to manage systems using
    a Rule Set Based Access Control (RSBAC)
    Run acl_grant
  • 3
    cpupower idle-set - Utility to set cpu
    idle state specific kernel options
    SYNTAX: cpupower [ -c cpulist ]
    idle-info [options] DESCRIPTION: The
    cpupower idle-se...
    Run cpupower-idle-set
  • 4
    cpupower-info - Shows processor power
    related kernel or hardware
    configurations ...
    Run cpupower-info
  • 5
    g15daemon - provides access to extra
    keys and the LCD available on the
    logitech G15 keyboard. DESCRIPTION:
    G15Daemon allows users access to all
    extra keys by d...
    Run g15daemon
  • 6
    laditools - tools to control and
    monitor LADI (JACK and ladish) systems ...
    Run g15ladi
  • More »