How to upgrade packages like openssl, openssh, binutils, dhcpd etc. in vyos


#1

I am running vulnerability scan on my vyos vm and it is showing around 10-15 issues most of them are related to package updation. I created vyos image from the repo https://github.com/vyos/vyos-build and it is using debian 8. How can I update packages into my vyos vm ? Do I need to update my OS ?


#2

When did you built the image? When you build the image via vyos-build, the first step is to install all required pkgs from debian, so they are the latest available via debian repos. Also, vulnerability results can be often false-positives as well, depending on the tool I have seen a lot of bs in these reports.
Can you post one on pastbin or so?


#3

Yes but vyos-build repo uses debian 8 that does not have all the latest packages.
How can I know that the vulnerability is false-positive. I am using openvas.
Following are the vulnerability:
Title: CVE-2016-6304, CVE-2016-6303, CVE-2016-2182, CVE-2106-2177, CVE-2014-9939, CVE-2016-2774, CVE-205-8605, CVE-2016-6302, CVE-2016-2183, CVE-2016-2181, CVE-2016-2180, CVE-2016-2179, CVE-2016-6306, CVE-2016-2178, CVE-2017-15906, CVE-2016-10708, CVE-2016-8858, CVE-2016-0778, CVE-2016-0777,


#4

debian has a security tracker (https://security-tracker.debian.org/tracker), there you can query the particular cve.
Which tells you then the status and which flavor is affected (vyos 1.2 uses debian8 aka jessie).
https://security-tracker.debian.org/tracker/CVE-2016-6304 shows you that you need at least 1.0.1t-1+deb8u4 installed.
Currently installed is 1.0.1t-1+deb8u8, so that CVE is patched in vyos 1.2.

The other way around is possible as well, so you can have a look at the package status in jessie:
https://security-tracker.debian.org/tracker/source-package/openssl under resolved issues you have the patches listed. Does that answer your question?


#5

Yes that answer my question. Thanks @hagbard