On Tue, Jun 28, 2005 at 11:48:23AM +0200, Marek Olejniczak wrote: > No, it was *my* decision! I'm using Debian since 4 years and I like this > distribution. And it suprised me that my favourite distro has problems > with security. Like any other *volunteer* project, there are ups and downs. Don't complain, help fix the problem instead. I'm amazed at how people are complaining about this. In other news: Microsoft doesn't publish advisories for known security vulnerabilities, it will wait even a full month (or more) to do so. And their security team is being *payed* for what they do. I, for one, would actually appreciate if people instead of complaining in this mailing list would go through the latest public vulnerabilities that *might* affect Debian and provide a status report. You just need to pick a vulnerability and ask yourself these questions: a) how grave is this vulnerability? is it local or remote? b) is an upstream patch is available? c) does the vulnerability indeed affects Debian woody or sarge? d) has it been reported in Debian's BTS? does it have a patch? e) has a package fixing this has been uploaded to sid? is a package waiting for approval from the security team? Some information is available at http://newraff.debian.org/~joeyh/stable-security.html but that's not 100% accurate (as described in the header). So, for starters, all you need is. Vulnerability info, which is available at: - Securityfocus Database: http://www.securityfocus.com/bid - LWN's advisories (http://lwn.net/Alerts/) and vulnerabilities (http://lwn.net/Vulnerabilities/) The relevant Debian BTS entries should be tagged 'security' and can be found at: http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&archive=no&exclude=potato&exclude=experimental&exclude=fixed&exclude=wontfix But, of course, the BTS entries for the relevant bugs should be reviewed too (people sometimes do not tag security bugs appropiately). Also, past advisories with CVE references for Debian should be reviewed. They are found at: http://www.debian.org/security/crossreferences (Note: Bugtraq references in that page are not necessarily up-to-date as I review these from time to time) Here's a sample: ----------------------------------------------------------------------------- - Vulnerability: latest dbus vulnerability - Severity: High - Type: local - References: CAN-2005-0201, also BID-12345: http://www.securityfocus.com/bid/12435 [ not in Debian's CVE reference map ] - Other references: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146766 (includes test and patch) - Affected version: 0.22 (based on other vendors alerts) - Debian versions: 0.23.4-1 in sarge, 0.23.4-3 in sid, not present in woody (http://packages.qa.debian.org/d/dbus.html) [ review of the source package to see if the bug is applied there ] [ .... ] [ the code is fixed and upstream Changelog says that it was fixed in 2005-01-31 and included in the 2.3.1 ] Status: Debian is _not_ affected Actions that need to be taken: none ---------------------------------------------------------------------------- Another example: ---------------------------------------------------------------------------- - Vulnerability: cacti - SQL injection and XSS - Severity: High - Type:remote - References: CAN 2005-{1524,1525,1526} - Other references: Gentoo advisory: http://www.gentoo.org/security/en/glsa/glsa-200506-20.xml Gentoo Bug: http://bugs.gentoo.org/show_bug.cgi?id=96243 Patch: http://www.cacti.net/downloads/patches/0.8.6d/cacti_0_8_6e_security.patch - Affected version: prior to 0.8.6e http://www.cacti.net/release_notes_0_8_6e.php - Debian versions: 0.6.7-2.2 in oldstable, 0.8.6c-7 in stable, 0.8.6e-1 in testing/sid - Bug reported: #315703 (not tagged 'security') [ Review oldstable code ] [ Code is not affected to these vulnerabilities, the vulnerable code is not present ] Status: Debian _is_ affected, a fix is pending approval from the security team upload Actions that need to be taken: a) tag 'security' the BTS entries ---------------------------------------------------------------------------- Now that you all know how to improve the situation and help why don't you start doing it? Start with all the vulnerabilites in Joey's stable security pages. Follow up with all the vulnerabilities which are not listed there but are related to software present in Debian for which other vendors have published advisories already. And then send the reports to the security team CC'ing this list. I'm anxious to see how many who have voiced their concerns will end up publishing here a status report. Regards Javier PS: I'm not adding Secunia to the vulnerability info since it's obviously not current / correct, see http://secunia.com/product/143/ for example.
Attachment:
signature.asc
Description: Digital signature