Keeping your OS and all packages up-to-date is always a best practice. Since Arch Linux is a rolling release, the Arch users can able to get the fixes and software updates every few days than other fixed-release distributions. However, sometimes the users can't be able to update their Arch system due to insufficient Internet data or they just lazy to upgrade the system or they don't want to use update fearing it might break their system. If you don't update your Arch Linux often, you need to check it for vulnerabilities from time to time. So if there are any high risk vulnerabilities, you can immediately update the system. This is where Arch-audit tool comes in handy. It will help you to find the vulnerable packages in Arch Linux and its derivatives such Manjaro Linux.
Arch-audit is a an utility like pkg-audit based on Arch CVE (Common Vulnerabilities and Exposures) Monitoring Team data. The Arch CVE monitoring team (ACMT) is a group of volunteers to help identify and notify packages with security vulnerabilities in Arch Linux. The main goal of ACMT is to find bugs in all packages and notify the developers if there are any vulnerabilities. Please be mindful that the arch-audit utility won't find any vulnerabilities on its own. It will simply parse the https://security.archlinux.org/ page and display the results in the Terminal. It has nothing to do with any false results.
In this brief tutorial, we will see how to find vulnerable packages in Arch Linux using Arch-audit utility.
Find Vulnerable Packages In Arch Linux using Arch-audit
The arch-audit is available in the community repository. So, you can install it using pacman as shown below.
$ sudo pacman -S arch-audit
Once installed, run the following command to find vulnerable packages:
Package binutils is affected by CVE-2017-17126, CVE-2017-17125, CVE-2017-17124, CVE-2017-17123, CVE-2017-17122, CVE-2017-15996, CVE-2017-15025, CVE-2017-15024, CVE-2017-15023, CVE-2017-15022, CVE-2017-15021, CVE-2017-15020. High risk! Package cairo is affected by CVE-2017-7475. Low risk! Package emacs is affected by CVE-2017-1000383. Medium risk! Package exiv2 is affected by CVE-2017-11592, CVE-2017-11591, CVE-2017-11553, CVE-2017-17725, CVE-2017-17724, CVE-2017-17723, CVE-2017-17722. Medium risk! Package lib32-libxml2 is affected by CVE-2018-9251. Medium risk! Package libffi is affected by CVE-2017-1000376. High risk! Package libxml2 is affected by CVE-2018-9251. Medium risk! Package linux is affected by CVE-2018-3646, CVE-2018-3620, CVE-2018-3615, CVE-2018-8897, CVE-2017-5753, CVE-2017-5715, CVE-2018-1121, CVE-2018-1120. High risk! Package openssh is affected by CVE-2018-15473. Medium risk! Package patch is affected by CVE-2018-6952, CVE-2018-6951, CVE-2018-1000156. High risk! Package pcre is affected by CVE-2017-11164. Low risk! Package podofo is affected by CVE-2017-7994, CVE-2017-7383, CVE-2017-7382, CVE-2017-7381, CVE-2017-7380, CVE-2017-7379, CVE-2017-7378, CVE-2017-6842, CVE-2017-6841, CVE-2017-6840. High risk! Package systemd is affected by CVE-2018-6954. Medium risk! Package unzip is affected by CVE-2018-1000035. Medium risk! Package zsh is affected by CVE-2018-13259, CVE-2018-0502. Low risk!
As you noticed in the above output, there are many packages with low, medium and high risk.
To show only vulnerable package names and their versions, use -q flag as shown below:
$ arch-audit -q binutils cairo emacs exiv2 lib32-libxml2 libffi libxml2 linux openssh patch pcre podofo systemd unzip zsh
To show only packages that have already been fixed, use -u flag:
$ arch-audit -qu bluez>=5.46-2 chromium>=61.0.3163.79-1 curl>=7.55-1 ffmpeg>=1:3.3.4-1 ffmpeg2.8>=2.8.13-1 flashplugin>=220.127.116.11-1 lib32-expat>=2.2.2-1 lib32-libgcrypt>=1.8.1-1 libgcrypt>=1.8.1-1 libsoup>=2.58.2-1 linux>=4.12.13-1 newsbeuter>=2.9-7 webkit2gtk>=2.16.6-1 xorg-server>=1.19.3-3
The above listed packages have already been fixed by the developers.
You need to update the highly-risk and critical-risk packages as soon as possible. However, I recommend you to update all of them by simply running the following command:
$ sudo pacman -Syu
For more details about arch-audit, refer man pages.
$ man arch-audit