Patch CVEs on Debian
StackPatch indexes the Debian Security Tracker (security-tracker.debian.org) for 3 Debian releases: trixie (13) · bookworm (12) · bullseye (11 LTS). The workflow below shows the exact apt + dpkg commands to detect, remediate, and verify a CVE.
5-second free check
curl https://mindsparkstack.com/scan.sh | bash
On Debian the agent uses dpkg-query -W -f='${Package}\t${Version}\n' to enumerate installed packages, then matches against security-tracker.debian.org via the StackPatch matcher API. Source as plain text.
Manual workflow
1. Enumerate installed packages
dpkg-query -W -f='${Package}\t${Version}\n' | head -2002. Look up an example CVE
CVE-2023-0049 — affects
vimon Debian. Each CVE page shows the exact fixed_version per release.3. Upgrade with apt + dpkg
sudo apt-get update && sudo apt-get install --only-upgrade -y <package>
4. Verify the version landed
Re-run the quickscan, or use the per-package check listed above.
Debian-specific notes
- • Debian Security Tracker carries severity (urgency) per release — used for alert priority in StackPatch.
- • LTS releases (currently bullseye) get a separate security team but on the same dpkg toolchain.
- • Hostinger / DigitalOcean default Debian images are bookworm in 2026.
Other distros
Continuous monitoring across all your Debian servers
Hourly inventory + matcher + email/webhook alerts + public audit URL per server. $99 lifetime, 50 founder seats. Works on every Debian release listed above.