Script to check an installed packages list against the ubuntu-cve-tracker
Branch: master
Clone or download
Pull request Compare This branch is 5 commits ahead of davbo:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Active CVE Check

Checks a list of packages against the "active" (not yet patched) CVE's as listed in the Ubuntu CVE Tracker.

CVE information is fetched from the API.

It's a fork with some my improvements. The original project is hosted here.

How to use

Get the Ubuntu CVE Tracker repository (this will need to be updated periodically)

$ git clone

Grab a list of installed packages from your Ubuntu host

$ dpkg-query -W -f='${source:Package}\n' | sort -u > installed_packages.txt

via SSH:

$ ssh user@host \
 "dpkg-query -W -f='\${source:Package}\n' | sort -u" > installed_packages.txt
Get this repository

$ git clone

Install the dependencies

$ pip install --user -r active-cve-check/requirements.txt

Scan the packages against the known active CVE's
$ python active-cve-check/ \
installed_packages.txt ubuntu-cve-tracker/active --ubuntu-version=trusty

CVE: CVE-2017-1000368
Package: sudo
CVSS: 7.2
Published: 2017-06-05T12:29:00.200000
Modified: 2017-06-05T12:29:00.217000
Summary: Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.

CVE: CVE-2017-13049
Package: tcpdump
CVSS: None
Published: 2017-09-14T02:29:03.030000
Modified: 2017-09-14T02:29:03.030000
Summary: The Rx protocol parser in tcpdump before 4.9.2 has a buffer over-read in print-rx.c:ubik_print().

Scan specific package against the known active CVE's
$ python active-cve-check/ \
 <(echo sudo) ubuntu-cve-tracker/active --ubuntu-version=trusty
or check the presence of specific CVE
$ python active-cve-check/ \
 <(echo tcpdump) ubuntu-cve-tracker/active --ubuntu-version=trusty | \
 grep CVE-2017-13049



Probably «AS IS». I wasn't contact the original author to ask the license to his script.