Skip to main content

How to Check the Status of Reported CVEs Using the Debian Security Tracker

Learn how to check the status of reported CVEs using the Debian Security Tracker. Understand CVE IDs, status meanings, and how to verify fixes on your server.

Written by Syed Abuzar Mehdi
Updated over 3 months ago

Security vulnerabilities are a common concern for website owners and server administrators.

You may run vulnerability scans on your server using third-party security tools, which generate reports that list detected issues using CVE IDs for packages like OpenSSL, curl, OpenSSH, or glibc.

This article explains, in simple terms, what a CVE is and how you can check its current status using the official Debian Security Tracker.

This helps you understand whether your Debian-based server is affected, already protected, or awaiting a fix.

This guide is intended for Cloudways customers, including users without a technical background.

Table of Contents:

What is a CVE?

A CVE (Common Vulnerabilities and Exposures) is a publicly listed security issue that affects software or system components.

Each CVE has a unique identification number, such as:

CVE-2024-1234

This ID allows security teams, hosting providers, and users worldwide to track the same vulnerability consistently.

You may encounter CVE IDs in:

  • Vulnerability testing

  • Open-source security announcements

  • Public vulnerability reports

Why Checking CVE Status Matters

Not every reported CVE automatically means your server is at risk.

Some vulnerabilities:

  • Are already fixed

  • Do not affect Debian packages

  • Are still being investigated

  • Have fixes that are scheduled for future updates

By checking the CVE status, you can:

  • Confirm whether action is required

  • Avoid unnecessary concern

  • Understand patch availability

  • Make informed security decisions

Step #1: Locate the CVE ID

Before checking anything, you need the CVE number.

If a vulnerability alert mentions a package (for example, OpenSSL) but does not include a CVE ID, you can still search by package name in the Debian tracker.

Step #2: Open the Debian Security Tracker

The Debian Security Tracker is the official source for tracking vulnerabilities affecting Debian packages.

Access it here: ๐Ÿ‘‰ https://security-tracker.debian.org/tracker/

Once the page opens, you have two options:

Search by CVE ID

  • Enter the CVE number (for example, CVE-2024-1234)

  • This shows detailed information about that specific vulnerability

Search by Package Name

  • Enter a package name (for example, openssh)

  • This displays all known vulnerabilities related to that package

For example:

This is helpful if you do not yet have a CVE ID.

Step #3: Understand CVE Status Values

After opening a CVE entry, you will see a Status column. This status explains how the vulnerability affects Debian systems.

Below is a simple explanation of the most common CVE statuses and what they mean for you:

Fixed

  • A security patch is available

  • The vulnerability has been resolved

  • You should update your system packages as soon as possible

Unfixed

  • The vulnerability is confirmed

  • A patch is not available yet

  • Temporary workarounds may be required

Not-Affected

  • Debian is not impacted by this vulnerability

  • No action is needed

No-DSA

  • The issue exists but is not severe enough for an urgent security advisory

  • It will be fixed in a future regular update

Undetermined

  • Debian security teams are still reviewing the issue

  • Impact is not yet confirmed

Understanding these terms helps you avoid unnecessary updates and focus only on real risks.

Step #4: Check If Your Server Is Using the Fixed Version

Even when a CVE shows as fixed, it is important to confirm that your server has the correct version installed.

You can do this by checking the installed package version on your server.

SSH into Server:

Read the specified part about โ€˜How to Connect to Your Application Using SSH/SFTPโ€™ from the Knowledge Base Article by clicking here.

Example Command

Run the following command, replacing the package name as needed:

dpkg -l | grep package-name

Where package can be openssh.

Compare:

  • The version installed on your server

  • The version listed as Fixed Version in the Debian Security Tracker

If your installed version is lower, your server may still be vulnerable.

Key Takeaways

  • A CVE is a unique identifier for a security vulnerability

  • Not all CVEs affect Debian systems

  • The Debian Security Tracker is the official source to verify CVE status

  • Always check the status before taking action

  • Confirm installed package versions when a fix is available

  • Older package versions may still be secure due to backported fixes

Need Assistance with a Specific CVE?

If you have a specific CVE ID and are unsure how it affects your Cloudways server, you can:

  • Check the Debian Security Tracker using the steps above

  • Contact Cloudways Support for clarification

  • Share the CVE ID with the support team for further guidance

Thatโ€™s it! We hope this article was helpful.

Need Help?

If you need assistance, feel free to:

We're here 24/7 to help you!

Did this answer your question?