Debsecan showing deprecated linux-libc-dev

Question

I am hardening a debian 12 server right now and I am trying to find and patch CVEs using debsecan. When I run debsecan --suite bookworm I get a list of CVEs with most of them being related to linux-libc-dev. I installed the linux-libc-dev/bookworm-backports package which is 6.7.12-1~bpo12+1 and I still get hundreds of vulnerabilities when using debsecan although they should be patched with the version I installed. Am I still vulnerable or are those false-positives? And can I remove them from my daily debsecan report? Also what is linux-libc-dev exactly for? I read about it being kernel-headers but not the actual use of them.

When using

apt-cache show linux-libc-dev

I get multiple versions of linux-libc-dev.

Package: linux-libc-dev Source: linux Version: 6.7.12-1~bpo12+1 Installed-Size: 9983 Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Architecture: all Provides: linux-libc-dev-alpha-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-amd64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-arm64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-armel-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-armhf-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-hppa-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-i386-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-loong64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-m68k-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-mips-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-mips64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-mips64el-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-mips64r6el-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-mipsel-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-powerpc-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-ppc64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-ppc64el-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-riscv64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-s390x-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-sh4-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-sparc64-cross (= 6.7.12-1~bpo12+1), linux-libc-dev-x32-cross (= 6.7.12-1~bpo12+1) Description-en: Linux support headers for userspace development This package provides userspaces headers from the Linux kernel. These files are going to be installed into /usr/include, and are used by the installed headers for GNU libc and other system libraries. Description-md5: b95630af34c5b0ac63c5a6f7cf44ced6 Multi-Arch: foreign Homepage: https://www.kernel.org/ Section: devel Priority: optional Filename: pool/main/l/linux/linux-libc-dev_6.7.12-1~bpo12+1_all.deb Size: 2281912 SHA256: 06f909df48c6439f2fb9235a9be715b62bcc37044fd36f41c298a56e4c717530

Package: linux-libc-dev Source: linux Version: 6.6.13-1~bpo12+1 Installed-Size: 9949 Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Architecture: all Description-en: Linux support headers for userspace development This package provides userspaces headers from the Linux kernel. These files are going to be installed into /usr/include, and are used by the installed headers for GNU libc and other system libraries. Description-md5: b95630af34c5b0ac63c5a6f7cf44ced6 Multi-Arch: foreign Homepage: https://www.kernel.org/ Section: devel Priority: optional Filename: pool/main/l/linux/linux-libc-dev_6.6.13-1~bpo12+1_all.deb Size: 2229204 SHA256: aca3bd8d6c7604fe02765b50da0c97d0242ebf9082896e0a202e865fc00cf9ba

Package: linux-libc-dev Source: linux Version: 6.1.94-1 Installed-Size: 6732 Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Architecture: amd64 Description-en: Linux support headers for userspace development This package provides userspaces headers from the Linux kernel. These headers are used by the installed headers for GNU libc and other system libraries. Description-md5: f310daf8fb891639ee6eeeb4020a7c13 Multi-Arch: same Homepage: https://www.kernel.org/ Tag: devel::lang:c, devel::library, implemented-in::c, role::devel-lib Section: devel Priority: optional Filename: pool/main/l/linux/linux-libc-dev_6.1.94-1_amd64.deb Size: 1993748 MD5sum: c3a6cbed6da7deade1dd670deb2ba130 SHA256: 9fdc10311d52bcbec6f2220cc6bfc81223ca19a790b66108d17f05bc2516f5f3

Package: linux-libc-dev Source: linux Version: 6.1.90-1 Installed-Size: 6714 Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Architecture: amd64 Description-en: Linux support headers for userspace development This package provides userspaces headers from the Linux kernel. These headers are used by the installed headers for GNU libc and other system libraries. Description-md5: f310daf8fb891639ee6eeeb4020a7c13 Homepage: https://www.kernel.org/ Multi-Arch: same Section: devel Priority: optional Filename: pool/updates/main/l/linux/linux-libc-dev_6.1.90-1_amd64.deb Size: 1976336 SHA256: 5d194f7515d8a0e36c74fdda27fa28d8a9ef13a01810007fad0a73a38c15dc5a

Package: linux-libc-dev Source: linux Version: 6.1.67-1 Installed-Size: 6644 Maintainer: Debian Kernel Team debian-kernel@lists.debian.org Architecture: amd64 Description-en: Linux support headers for userspace development This package provides userspaces headers from the Linux kernel. These headers are used by the installed headers for GNU libc and other system libraries. Description-md5: f310daf8fb891639ee6eeeb4020a7c13 Multi-Arch: same Homepage: https://www.kernel.org/ Tag: devel::lang:c, devel::library, implemented-in::c, role::devel-lib Section: devel Priority: optional Filename: pool/main/l/linux/linux-libc-dev_6.1.67-1_amd64.deb Size: 1904824 SHA256: 3a69c95e5544cd2d7a3264d7381670f756090c236acb2ff9fa86a081bb2cd761

Is this related? I am suspecting that I have more than one version installed and need to purge the old ones. If so - how can I do this?

Answer 1

CAVEATS section of man 1 debsecan says the following:

Much like the official Debian security advisories, debsecan's vulnerability tracking is mostly based on source packages. This can be confusing because tools like dpkg only display binary package names. Therefore, debsecan displays the more familiar binary package names. This has the unfortunate effect that all binary packages (including packages containing only documentation, for example) are flagged as vulnerable, and not only those packages which actually contain the vulnerable code.

In your case, the package linux-libc-dev (containing Linux kernel C headers) has the corresponding source package linux (kernel itself) so all kernel CVEs are reported against the linux-libc-dev package. See the full list of CVEs for linux package. The linux-libc-dev package doesn't have these vulnerabilities itself. Please note that you need to have the same version of linux-libc-dev as the kernel your system is running.