View Full Version : Most Kali Linux packages are outdated or vulnerable

2019-06-24, 18:25
Since Kali Linux Rolling is based on Debian, most the packages are outdated or vulnerable. For example, the Firefox and Firefox-ESR have two 0day vulnerabilities recently and they have been fixed by the Firefox official. Meanwhile, most of the Linux distributions are updated accordingly, e.g. Ubuntu. However, Firefox-ESR in Kali is still vulnerable.

I think that the packages in Kali Linux should be up-to-date as it is a security Linux distribution. Nobody will used a vulnerable penetration testing tool to do the security stuff.

Hope Kali Linux team can look into it and improve it in the near future.

2019-06-25, 17:04
Firefox ESR is up to date. The version provided is the same as the one on Mozilla's website. Could you point to the two 0-day that you mention? I doubt Debian would leave security issues and could you tell me if you've checked the patches applied to the package?

Regarding outdated packages, a few things:
1. Kali depends on Debian, specifically debian testing
2. Debian is freezed and will make a release around July 6 if I recall, so they aren't updating the packages until then (the release is using. Expect lots of updates right after the release
3. If there are Kali-specific outdated tools, file an issue on https://bugs.kali.org

2019-06-25, 17:19
The update of Firefox ESR 60.7.2 and OpenJDK as well as some other packages are released on Kali Linux today.

2019-06-26, 02:22
Just in case, ESR is an Extended Support Release, and it isn't the same version as what you use. There are more details about it https://www.mozilla.org/en-US/firefox/organizations/

Firefox ESR is current, compare the one in Kali to https://www.mozilla.org/en-US/firefox/organizations/all/ - both are the same version.

Could you tell me which packages that were released today are outdated? Just in reminder to file a report at https://bugs.kali.org for packages that come from kali: https://pkg.kali.org/teams/kali-developers/

OpenJDK is from Debian, so you would have to file a request in Debian. If you're talking about OpenJDK 8 and 11, both are LTS (Long term support) releases as explained on https://blog.devexperts.com/oracle-jdk-vs-openjdk-builds-comparison/ and the others are non-LTS.

You forgot to tell me which 0-days you are talking about.

2019-06-26, 03:25
A little background of me, I am a Linux user for over 20 years. I used Backtrack Linux since version 3. I am a current user of Ubuntu and Kali Linux.

It is very suprise that staff of OffSec do not keep track with the infosec news and vulnerabilities.

The current and up-to-date version of Firefox ESR is 60.7.2 which is just released several hours after I posted the first post in this forum section yesterday. For the two 0day of Firefox ESR, please refer to the official release document of version 60.7.1 and 60.7.2. The current version of Firefox Quantum is 67.0.4. The two 0day of Firefox Quantum, please refer to the official release document of version 67.0.3 and 67.0.4. The official fixed the 2 0day in 2 days in a row.

For the OpenJDK, the official fixes have been released several months ago. However, the update is just released several hours after I posted the first post in this forum section yesterday.

I think that no infosec guy is willing to use an outdated or vulnerable tool to do his daily work.

2019-06-26, 18:28
I'd like to, again, point out that Kali depends on Debian for a lot of packages, which includes Firefox and OpenJDK. Firefox is a critical package, so distributions have to be careful when packaging it so it doesn't mess up end user's systems. Another thing to mention is that Debian is in freeze, so stuff may be delayed.

Debian is always looking for hands to help them package tools, you should join their packaging team so updates would be provided as soon as a 0-day appears.

As I mentioned, while most tools are updated regularly, there is no way to track every single piece of software, so if you encounter out of date tools, file an issue.

You still haven't said which other software is out of date.