HyperV security problem

[Seb-tech77]

Hello, I installed dietpi and did a vulnerability scan of the Dietpi VM and it's a very vulnerable machine because the kernel is not up to date I think. Here's the picture. All updates have been done. Sincerely

[MichaIng]

You, and the creators of this vulnerability check, should inform yourself about how Debian and most Linux distributions patch security fixes into older Linux (any every other software/package) versions, to keep features/compatibility stable, but security none less.

You can be sure that an up-to-date Debian kernel in its stable repository is about the safest you are able to find. If at all there are concerns, then is is about outdated vendor kernels for some SBCs, which is why I am never really happy to stick with those for too long, but new or non-famous SBCs simply do not run, or with very limited features, when using a proper mainline Linux build.

[Seb-tech77]

no worries, I was just worried about all the vulnerabilities the tool seemed to detect. It's for running on a HyperV machine. But the tool may be showing me vulnerabilities that have since been resolved, I'm not sure.
I'm just trying to understand, because Debian is supposed to be much more secure than Windows.

[Seb-tech77]

[Joulinar]

We don't maintain the kernel on x86

[Seb-tech77]

I'm using an x86-64 architecture, so 64bits. Shouldn't that be good?

[MichaIng]

That is all good. But it has to be interpreted with care. No software is 100% secure. Every person can create such security vulnerability reports. Many are disputed, most are of very low severity or can be exploited only in special circumstances. Many tools just check the software version, then see affected versions on a stable Debian, and assume it is vulnerable, which is usually not true, as Debian patches its sources. But I am not sure how this tool works.

But in case of x86_64 DietPi systems with use the Debian kernel and repo, as long as you keep it upgraded, following the APT package upgrade notifications, there is usually no reason to be afraid of possible kernel vulnerabilities. Enterprise Linux distributions of course are in a different situations, as paying customers can have a different voice to get any detected vulnerability fixed ASAP, whether reasonable or not, and they have the resources.

More important are basic usage and configuration aspects of the system and its software. I wrote up some things: https://github.com/MichaIng/DietPi/wiki/Security-recommendation
SSH key authentication can be automatically enabled on first boot in the meantime, when adding an SSH key to dietpi.txt, though for a VM this is difficult to edit prior to first boot. Can be also done afterwards, and then Dropbear reinstalled:

dietpi-software reinstall 104

APT package upgrades can be automatically done daily by setting CONFIG_CHECK_APT_UPDATES=2 in dietpi.txt. Though, for a kernel upgrade to take effect, a reboot is required.

[Seb-tech77]

Okay, thank you very much for all these details. I therefore consider the distribution to be safe. Thank you for answering my questions.