随着计算机安全问题的日益突出,对计算机安全等级的要求也越来越高,等级保护已成为必须要满足的要求之一。但目前流行的漏洞扫描软件多为”以软件版本”为发现漏洞的依据(😔),而广泛使用使用的RHEL类Linux(RHEL/Centos/Rocky linux/AlmaLinux)和Debian类Linux(Debian/ubuntu/linuxmint)都有自己的软件补丁工作,并且基本(完全)能够覆盖等保-漏洞扫描发现的漏洞。那么如何查看已安装软件包的更次你日志呢。
1、RHEL/AlmaLinux/Rocky/OracleLinux:
Oracle Linux 9.0
# rpm -q --changelog httpd|grep CVE
fixup last [CVE-2022-31813][Orabug: 34381949]
- Resolves: #2065250 - CVE-2022-22720 httpd: HTTP request smuggling
- Resolves: #2035031 - CVE-2021-44224 httpd: possible NULL dereference or SSRF
- Resolves: #2035064 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
CentOS 7.9
$ rpm -q --changelog httpd|grep CVE
- Resolves: #2065243 - CVE-2022-22720 httpd: HTTP request smuggling
- Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via
- Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in
- Resolves: #1969226 - CVE-2021-26691 httpd: Heap overflow in mod_session
- Resolves: #2035058 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
- Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix
- Resolves: #2011729 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized
- Resolves: #1565491 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing
- Resolves: #1747283 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
- Resolves: #1565457 - CVE-2018-1303 httpd: Out of bounds read in
- Resolves: #1566531 - CVE-2018-1283 httpd: Improper handling of headers in
- Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect
- Resolves: #1565465 - CVE-2017-15710 httpd: Out of bound write in
- Resolves: #1568298 - CVE-2018-1301 httpd: Out of bounds access after
- Resolves: #1566317 - CVE-2018-1312 httpd: Weak Digest auth nonce generation
- Resolves: #1696141 - CVE-2019-0217 httpd: mod_auth_digest: access control
- Resolves: #1696096 - CVE-2019-0220 httpd: URL normalization inconsistency
- Resolves: #1493065 - CVE-2017-9798 httpd: Use-after-free by limiting
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
- Resolves: #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
- Resolves: #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
- Resolves: #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread
- Resolves: #1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection
- Related: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
- Resolves: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
- add security fix for CVE-2016-5387
- core: fix chunk header parsing defect (CVE-2015-3183)
and ap_force_authn hook (CVE-2015-3185)
- core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
- mod_cgid: add security fix for CVE-2014-0231 (#1120608)
- mod_proxy: add security fix for CVE-2014-0117 (#1120608)
- mod_deflate: add security fix for CVE-2014-0118 (#1120608)
- mod_status: add security fix for CVE-2014-0226 (#1120608)
- mod_cache: add secutiry fix for CVE-2013-4352 (#1120608)
- mod_dav: add security fix for CVE-2013-6438 (#1077907)
- mod_log_config: add security fix for CVE-2014-0098 (#1077907)
可以看出,到目前为止发现的CVE几乎都打了补丁
rpm -q --changelog仅适用于已安装的软件,对于可安装软件,可以使用yum/dnf命令
# yum changelog dovecot|grep CVE
- fix CVE-2020-12100 resource exhaustion via deeply nested MIME parts (#1866752)
- fix CVE-2020-12673 out of bound reads in dovecot NTLM implementation (#1866757)
- fix CVE-2020-12674 crash due to assert in RPA implementation (#1866764)
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
- fix CVE-2019-3814: improper certificate validation (#1674369)
- fix CVE-2019-7524: buffer overflow in indexer-worker process resulting in privilege
2、Debian/ubuntu
Debian 11.5
# apt-get changelog apache2|grep CVE
* New upstream version 2.4.54 (closes: #1012513, CVE-2022-31813,
CVE-2022-26377, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404,
CVE-2022-30522, CVE-2022-30556, CVE-2022-28330)
* New upstream version 2.4.53 (Closes: CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, CVE-2022-23943)
* New upstream version 2.4.52 (Closes: CVE-2021-44224, CVE-2021-44790)
* New upstream version 2.4.51. Closes: CVE-2021-33193, CVE-2021-34798,
CVE-2021-36160, CVE-2021-39275, CVE-2021-40438, CVE-2021-41524,
CVE-2021-41773, CVE-2021-42013)
* New upstream version 2.4.50 (Closes: CVE-2021-41524, CVE-2021-41773)
* Refresh patches and drop CVE-2021-40438-improvement,
* Fix CVE-2021-40438 regression
* New upstream version 2.4.49 (Closes: CVE-2021-34798, CVE-2021-36160,
CVE-2021-39275, CVE-2021-40438)
* Fix mod_proxy HTTP2 request line injection (Closes: CVE-2021-33193)
* New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
CVE-2021-30641, CVE-2021-31618)
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
(Closes: #989562, CVE-2021-31618)
* New upstream version 2.4.46 (Closes: CVE-2020-11984, CVE-2020-11993,
CVE-2020-9490)
* New upstream version 2.4.43 (Closes: CVE-2020-1927, CVE-2020-1934)
* New upstream version 2.4.41 (Closes: CVE-2019-9517, CVE-2019-10081,
CVE-2019-10082, CVE-2019-10092, CVE-2019-10098)
* New upstream version 2.4.39 (Closes: CVE-2019-0196, CVE-2019-0197,
CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220)
- debian/patches/CVE-2019-0196.patch: disentangelment of stream and
- CVE-2019-0196
- debian/patches/CVE-2019-0211.patch: bind the bucket number of each
- CVE-2019-0211
- debian/patches/CVE-2019-0215.patch: restore SSL verify state after
- CVE-2019-0215
- debian/patches/CVE-2019-0217.patch: fix a race condition in
- CVE-2019-0217
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in
- CVE-2019-0220
* CVE-2019-0197: mod_http2: Fix possible crash on late upgrade
CVE-2018-17189, CVE-2018-17199, CVE-2019-0190)
- CVE-2018-11763: DoS for HTTP/2 connections by continuous SETTINGS
- CVE-2018-1333: Denial of service in mod_http2. Closes: #904106
- CVE-2018-8011: Denial of service in mod_md. Closes: #904107
- CVE-2017-15710
- CVE-2018-1283
- CVE-2018-1303
- CVE-2018-1301
- CVE-2017-15715
- CVE-2018-1312
- CVE-2018-1302
* CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
* Fix CVE-2017-9788: mod_auth_digest: Uninitialized memory reflection
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
* CVE-2017-3169: mod_ssl NULL pointer dereference
* CVE-2017-7668: Buffer overrun in ap_find_token()
* CVE-2017-7679: mod_mime buffer overread
* CVE-2017-7659: mod_http2 NULL pointer dereference
* Remove mention of CVE-2016-5387 in 2.4.25-1 changelog. It was already
* Security: CVE-2016-0736:
* Security: CVE-2016-2161:
* Security: CVE-2016-8740:
* Security: CVE-2016-8743:
* CVE-2016-5387: Sets environmental variable based on user supplied Proxy
- Security: CVE-2016-4979: Fix bypass of TLS client certificate
new symbols required for the CVE-2015-3185 fix.
+ CVE-2015-3183: Fix chunk header parsing defect.
+ CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
* Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which
* CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
* CVE-2014-8109: mod_lua: Fix handling of the Require line when a
script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
* CVE-2014-3581: Fix a DoS in mod_cache.
+ Security Fix for CVE-2013-5704: HTTP trailers could be used to
- CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash
- CVE-2014-0226 Fix a race condition resulting in a heap overflow in
- CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the
- CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts
- CVE-2013-6438: mod_dav: Fix DoS from crafted DAV WRITE requests.
- CVE-2014-0098: mod_log_config: Fix segfaults when logging truncated
* CVE-2013-1896: mod_dav: Fix a denial of service via MERGE request
* Add note to README.Debian about CVE-2013-0966 if the document root is
- Fix various XSS flaws in modules (CVE-2012-3499, CVE-2012-4558)
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
* CVE-2012-0216: Remove /usr/share/doc alias from default virtual hosts'
- Fix CVE-2012-0021: mod_log_config: DoS with '%{cookiename}C' log format
- Fix CVE-2012-0031: Unprivileged child process could cause the parent to
- Fix CVE-2012-0053: Exposure of "httpOnly" cookies in code 400 error
* Security: Fix broken patch for CVE-2011-3607 (Integer overflow in
* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
reverse proxy configurations. (Similar to CVE-2011-3368, but different
* Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
* Fix CVE-2011-3368: Prevent unintended pattern expansion in some
- Fixes CVE-2011-3348: Possible denial of service in mod_proxy_ajp
* Fix some regressions related to Range requests caused by the CVE-2011-3192
* Fix CVE-2011-3192: DoS by high memory usage for a large number of
- Fix CVE-2011-1176: If NiceValue was set, the default with no
* CVE-2010-1623: mod_reqtimeout: Fix potential DoS by high memory usage.
- CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability
- CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability
- CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol
- CVE-2010-0434: mod_headers: Fix potential information leak with threaded
(CVE-2009-3555): Disable keep-alive if parts of the next request have
for the TLS renegotiation prefix injection attack (CVE-2009-3555).
- DoS by malicious ftp server (CVE-2009-3094)
on the backend ftp server (CVE-2009-3095)
similar issue as CVE-2009-1891.
- CVE-2009-1890: denial of service in mod_proxy
- CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
* CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
- CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous
* Fix XSS in mod_proxy_ftp (CVE-2008-2939).
usage (CVE-2008-2364).
(CVE-2007-6420).
instead of public_html* (CVE-2007-1742).
o mod_imagemap (CVE-2007-5000)
o mod_status (CVE-2007-6388)
o mod_proxy_balancer's balancer manager (CVE-2007-6421)
(CVE-2007-6422).
specify something else than ISO-8859-1 (CVE-2008-0005).
scripting vulnerabilities (CVE-2007-6203).
* Add CVE reference to 2.2.6-1 changelog entry
- fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847)
allowing a workaround for buggy browsers affected by CVE-2007-4465
- CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary
- CVE-2006-5752: XSS in mod_status
* Fix CVE-2007-1863: DoS in mod_cache
* Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4)
(CVE-2006-3747)
- Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352).
* Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in
[CVE-2006-3747]. (Closes: #380182)
* Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers.
[CVE-2006-3918]. (Closes: #381376)
* Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in
mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352
* Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in
on a server with a custom 400 error document defined; see CVE-2005-3357
- Resolves a serious memory leak in the worker MPM; see CVE-2005-2970
* New Upstream Release; Fixes: CVE: CAN-2002-0840 CERT: VU#240329
Ubuntu 18.04
$ apt-get changelog openssh-server |grep CVE
- debian/patches/CVE-2018-15473.patch: updated to fix bad patch
* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous
- debian/patches/CVE-2018-20685.patch: disallow empty filenames
- CVE-2018-20685
- debian/patches/CVE-2019-6111.patch: make sure the filenames match
- CVE-2019-6111
- debian/patches/CVE-2019-6109-1.patch: sanitize scp filenames via
- debian/patches/CVE-2019-6109-2.patch: force progressmeter updates in
- CVE-2019-6109
- debian/patches/CVE-2018-15473.patch: delay bailout for invalid
- CVE-2018-15473
- CVE-2017-15906: sftp-server(8): In read-only mode, sftp-server was
- CVE-2016-10009: ssh-agent(1): Will now refuse to load PKCS#11 modules
- CVE-2016-10010: sshd(8): When privilege separation is disabled,
- CVE-2016-10011: sshd(8): Avoid theoretical leak of host private key
- CVE-2016-10012: sshd(8): The shared memory manager used by
* CVE-2016-8858: Unregister the KEXINIT handler after message has been
* CVE-2016-6210: Mitigate user enumeration via covert timing channel
* CVE-2015-8325: Ignore PAM environment vars when UseLogin=yes.
- CVE-2016-3115: sshd(8): Sanitise X11 authentication credentials to
- CVE-2016-0777, CVE-2016-0778: Disable experimental client-side support
- CVE-2015-5352: ssh(1): When forwarding X11 connections with
- CVE-2015-5600: sshd(8): Fix circumvention of MaxAuthTries using
- CVE-2014-2532: sshd(8): when using environment passing with an
* CVE-2014-2653: Fix failure to check SSHFP records if server presents a
+ CVE-2013-4548: sshd(8): fix a memory corruption problem triggered
* CVE-2010-5107: Improve DoS resistance by changing default of MaxStartups
* Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.
* CVE-2008-2285: ssh-vulnkey handles options in authorized_keys
* Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-8.
* Mitigate OpenSSL security vulnerability (CVE-2008-0166):
* Fill in CVE identifier for security vulnerability fixed in 1:4.7p1-5.
- CVE-2008-1657: Ignore ~/.ssh/rc if a sshd_config ForceCommand is
- CVE-2008-1483: Don't use X11 forwarding port which can't be bound on
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
- CVE-2006-4924: Fix a pre-authentication denial of service found by
- CVE-2006-5051: Fix an unsafe signal hander reported by Mark Dowd. The
- CVE-2006-0225: scp (as does rcp, on which it is based) invoked a
* Add a CVE name to the 1:4.0p1-1 changelog entry.
* Annotate 1:4.2p1-1 changelog with CVE references.
I mention the CVE reference here anyway for completeness.
可以发现大量的漏洞补丁信息。
写到后边:希望漏洞扫面系统能进一步深入、准确发现系统漏洞,并给出解决建议。