Results 1 to 6 of 6

Thread: Most Kali Linux packages are outdated or vulnerable

  1. #1
    Join Date
    2013-Mar
    Location
    Somewhere in the hell
    Posts
    14

    Most Kali Linux packages are outdated or vulnerable

    Since Kali Linux Rolling is based on Debian, most the packages are outdated or vulnerable. For example, the Firefox and Firefox-ESR have two 0day vulnerabilities recently and they have been fixed by the Firefox official. Meanwhile, most of the Linux distributions are updated accordingly, e.g. Ubuntu. However, Firefox-ESR in Kali is still vulnerable.

    I think that the packages in Kali Linux should be up-to-date as it is a security Linux distribution. Nobody will used a vulnerable penetration testing tool to do the security stuff.

    Hope Kali Linux team can look into it and improve it in the near future.
    Last edited by samiux; 2019-06-24 at 18:32. Reason: fixed typo
    While you do not know attack, how can you know about defense? (未知攻,焉知防?)
    Think like a criminal and act as a professional.
    Not only Try Harder but also Try Smarter!

  2. #2
    Join Date
    2016-Dec
    Posts
    647
    Firefox ESR is up to date. The version provided is the same as the one on Mozilla's website. Could you point to the two 0-day that you mention? I doubt Debian would leave security issues and could you tell me if you've checked the patches applied to the package?

    Regarding outdated packages, a few things:
    1. Kali depends on Debian, specifically debian testing
    2. Debian is freezed and will make a release around July 6 if I recall, so they aren't updating the packages until then (the release is using. Expect lots of updates right after the release
    3. If there are Kali-specific outdated tools, file an issue on https://bugs.kali.org

  3. #3
    Join Date
    2013-Mar
    Location
    Somewhere in the hell
    Posts
    14
    The update of Firefox ESR 60.7.2 and OpenJDK as well as some other packages are released on Kali Linux today.
    While you do not know attack, how can you know about defense? (未知攻,焉知防?)
    Think like a criminal and act as a professional.
    Not only Try Harder but also Try Smarter!

  4. #4
    Join Date
    2016-Dec
    Posts
    647
    Just in case, ESR is an Extended Support Release, and it isn't the same version as what you use. There are more details about it https://www.mozilla.org/en-US/firefox/organizations/

    Firefox ESR is current, compare the one in Kali to https://www.mozilla.org/en-US/firefo...nizations/all/ - both are the same version.

    Could you tell me which packages that were released today are outdated? Just in reminder to file a report at https://bugs.kali.org for packages that come from kali: https://pkg.kali.org/teams/kali-developers/

    OpenJDK is from Debian, so you would have to file a request in Debian. If you're talking about OpenJDK 8 and 11, both are LTS (Long term support) releases as explained on https://blog.devexperts.com/oracle-j...ds-comparison/ and the others are non-LTS.

    You forgot to tell me which 0-days you are talking about.

  5. #5
    Join Date
    2013-Mar
    Location
    Somewhere in the hell
    Posts
    14
    A little background of me, I am a Linux user for over 20 years. I used Backtrack Linux since version 3. I am a current user of Ubuntu and Kali Linux.

    It is very suprise that staff of OffSec do not keep track with the infosec news and vulnerabilities.

    The current and up-to-date version of Firefox ESR is 60.7.2 which is just released several hours after I posted the first post in this forum section yesterday. For the two 0day of Firefox ESR, please refer to the official release document of version 60.7.1 and 60.7.2. The current version of Firefox Quantum is 67.0.4. The two 0day of Firefox Quantum, please refer to the official release document of version 67.0.3 and 67.0.4. The official fixed the 2 0day in 2 days in a row.

    For the OpenJDK, the official fixes have been released several months ago. However, the update is just released several hours after I posted the first post in this forum section yesterday.

    I think that no infosec guy is willing to use an outdated or vulnerable tool to do his daily work.
    Last edited by samiux; 2019-06-26 at 03:29. Reason: add info
    While you do not know attack, how can you know about defense? (未知攻,焉知防?)
    Think like a criminal and act as a professional.
    Not only Try Harder but also Try Smarter!

  6. #6
    Join Date
    2016-Dec
    Posts
    647
    I'd like to, again, point out that Kali depends on Debian for a lot of packages, which includes Firefox and OpenJDK. Firefox is a critical package, so distributions have to be careful when packaging it so it doesn't mess up end user's systems. Another thing to mention is that Debian is in freeze, so stuff may be delayed.

    Debian is always looking for hands to help them package tools, you should join their packaging team so updates would be provided as soon as a 0-day appears.

    As I mentioned, while most tools are updated regularly, there is no way to track every single piece of software, so if you encounter out of date tools, file an issue.

    You still haven't said which other software is out of date.

Similar Threads

  1. How to fix outdated upstreams
    By LazyCoder in forum Kali Linux General Questions
    Replies: 4
    Last Post: 2018-12-31, 05:49
  2. Replies: 1
    Last Post: 2016-07-22, 21:11
  3. Open SSL 1.01 to 1.01f vulnerable
    By pedropt in forum General Archive
    Replies: 2
    Last Post: 2014-04-11, 10:18

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •