what's up with security?
- To: debian-devel@lists.debian.org, security@debian.org
- Cc: lynx@packages.debian.org, mailman@packages.debian.org, xemacs21@packages.debian.org, openldapd@packages.debian.org
- Subject: what's up with security?
- From: Joey Hess <joeyh@debian.org>
- Date: Wed, 24 May 2000 23:27:24 -0700
- Message-id: <[🔎] 20000524232724.A5157@kitenet.net>
- Mail-followup-to: debian-devel@lists.debian.org, security@debian.org, lynx@packages.debian.org, mailman@packages.debian.org, xemacs21@packages.debian.org, openldapd@packages.debian.org
If you read this week's Linux Weekly News
(http://lwn.net/2000/0525/security.phtml), it would appear that Debian
is either perfect and has no security holes, or that unlike every other
major linux distribution, we are not fixing any. No security updates
have appeard on www.debian.org for 2 full months!
I don't think either is true. I think we're falling behind and not
keeping current on some security problems, and I think some fixes are
happening and are not getting advisories published.
What can we do to fix this? Isn't there supposed to be a security team
that tracks this stuff, does fixes if the maintainers are not resonsive,
and issues advisories?
(BTW, I'd like to know if debian is vulnerable to the following items
mentioned on LWN:
- New version of lynx, 2.8.3pre.5, appears to have actually been
audited now, and has security fixes, though there are no details of
them. Debian seems to have an older version.
- Mailman 2.0beta1 has some sort of "Security patch when using
external archivers". Information on this one is scarce.
- Some xemacs fixes were reported: "A couple of problems in
xemacs have been fixed, including the insecure creation of
temporary files and snooping of other users' keystrokes." I remember
seeing something about this on a debian list, but none of the xemacs
packages in frozen seem to have been updated this year.
- A temp file race in openldap. I can't seem to find anything clear
about what version it is fixed in, so I don't know if we are
vulnerable.
I have already filed bugs on netscape, qpopper, and gnapster.)
--
see shy jo
Reply to: