False positive: tmpreaper / systemd on Debian Stretch (incorrect package)

chrisbzc · July 29, 2019, 12:15pm

Running a full authenticated scan on a Debian Stretch host with tmpreaper installed is giving a false positive result that references a systemd security advisory:

Detection Result

Vulnerable package: tmpreaper
Installed version: 1.6.13+nmu1+deb9u1+b1
Fixed version: 232-25+deb9u7

Detection Method

This check tests the installed software version using the apt package manager.

Details: Debian Security Advisory DSA 4367-1 (systemd - security update) OID: 1.3.6.1.4.1.25623.1.0.704367

Version used: 2019-07-04T09:25:28Z

The package tmpreaper is not part of systemd so this security update is not relevant to this package. The tmpreaper package itself is up to date with the latest security updates.

cfi · July 30, 2019, 7:41am

Thanks for your detailed report.

The unrelated tmpreaper package check in this VT was indeed added wrongly to this DSA advisory and has been removed to avoid this false positive. The changes should be included in the feed once the “Version used:” of this VT has “2019-07-29T14:16:31+0000” or later.