I’ve seen several security alerts from Debian, but no matching updates in Devuan. For example, the “file" package has CVE-2017-1000249, released yesterday.
> For the stable distribution (stretch), this problem has been fixed in
> version 1:5.30-1+deb9u1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 1:5.32-1.
But, on a Devuan Ascii VM:
> $ sudo apt-get install file
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> file is already the newest version (1:5.30-1).
> 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Maybe this one is too new, but the “apache2" package has CVE-2017-9788 released July 18th, 2017.
> For the oldstable distribution (jessie), this problem has been fixed
> in version 2.4.10-10+deb8u10.
>
> For the stable distribution (stretch), this problem has been fixed in
> version 2.4.25-3+deb9u2.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 2.4.27-1.
The latest apache2 in Ascii is 2.4.25-3+deb9u1.
jf
--
John Franklin
franklin@???