On Tue, Jun 28, 2005 at 11:48:23AM +0200, Marek Olejniczak wrote:
> No, it was *my* decision! I'm using Debian since 4 years and I like this
> distribution. And it suprised me that my favourite distro has problems
> with security.
Like any other *volunteer* project, there are ups and downs. Don't
complain, help fix the problem instead.
I'm amazed at how people are complaining about this. In other news:
Microsoft doesn't publish advisories for known security vulnerabilities, it
will wait even a full month (or more) to do so. And their security team is
being *payed* for what they do.
I, for one, would actually appreciate if people instead of complaining in
this mailing list would go through the latest public vulnerabilities that
*might* affect Debian and provide a status report. You just need to pick a
vulnerability and ask yourself these questions:
a) how grave is this vulnerability? is it local or remote?
b) is an upstream patch is available?
c) does the vulnerability indeed affects Debian woody or sarge?
d) has it been reported in Debian's BTS? does it have a patch?
e) has a package fixing this has been uploaded to sid? is a package
waiting for approval from the security team?
Some information is available at
http://newraff.debian.org/~joeyh/stable-security.html but that's not 100%
accurate (as described in the header).
So, for starters, all you need is.
Vulnerability info, which is available at:
- Securityfocus Database: http://www.securityfocus.com/bid
- LWN's advisories (http://lwn.net/Alerts/) and vulnerabilities
(http://lwn.net/Vulnerabilities/)
The relevant Debian BTS entries should be tagged 'security' and can be
found
at:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&archive=no&exclude=potato&exclude=experimental&exclude=fixed&exclude=wontfix
But, of course, the BTS entries for the relevant bugs should be reviewed
too (people sometimes do not tag security bugs appropiately).
Also, past advisories with CVE references for Debian should be reviewed.
They are found at:
http://www.debian.org/security/crossreferences
(Note: Bugtraq references in that page are not necessarily up-to-date as I
review these from time to time)
Here's a sample:
-----------------------------------------------------------------------------
- Vulnerability: latest dbus vulnerability
- Severity: High
- Type: local
- References: CAN-2005-0201, also BID-12345:
http://www.securityfocus.com/bid/12435
[ not in Debian's CVE reference map ]
- Other references:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146766
(includes test and patch)
- Affected version: 0.22 (based on other vendors alerts)
- Debian versions: 0.23.4-1 in sarge, 0.23.4-3 in sid, not present in woody
(http://packages.qa.debian.org/d/dbus.html)
[ review of the source package to see if the bug is applied there ]
[ .... ]
[ the code is fixed and upstream Changelog says that it was fixed
in 2005-01-31 and included in the 2.3.1 ]
Status: Debian is _not_ affected
Actions that need to be taken: none
----------------------------------------------------------------------------
Another example:
----------------------------------------------------------------------------
- Vulnerability: cacti - SQL injection and XSS
- Severity: High
- Type:remote
- References: CAN 2005-{1524,1525,1526}
- Other references:
Gentoo advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml
Gentoo Bug: http://bugs.gentoo.org/show_bug.cgi?id=96243
Patch:
http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch
- Affected version: prior to 0.8.6e
http://www.cacti.net/release_notes_0_8_6e.php
- Debian versions: 0.6.7-2.2 in oldstable, 0.8.6c-7 in stable, 0.8.6e-1 in
testing/sid
- Bug reported: #315703 (not tagged 'security')
[ Review oldstable code ]
[ Code is not affected to these vulnerabilities, the vulnerable code is not
present ]
Status: Debian _is_ affected, a fix is pending approval from the
security team upload
Actions that need to be taken:
a) tag 'security' the BTS entries
----------------------------------------------------------------------------
Now that you all know how to improve the situation and help why don't you
start doing it? Start with all the vulnerabilites in Joey's stable security
pages. Follow up with all the vulnerabilities which are not listed there
but are related to software present in Debian for which other vendors have
published advisories already.
And then send the reports to the security team CC'ing this list. I'm
anxious to see how many who have voiced their concerns will end up
publishing here a status report.
Regards
Javier
PS: I'm not adding Secunia to the vulnerability info since it's obviously
not current / correct, see http://secunia.com/product/143/ for example.
Attachment:
signature.asc
Description: Digital signature