Debian Security Survey

To: joey@debian.org
Cc: debian-isp@lists.debian.org
Subject: Debian Security Survey
From: "I. Forbes" <iforbes@zsd.co.za>
Date: Wed, 06 Nov 2002 18:16:47 +0200
Message-id: <[🔎] 3DC95C8F.22485.C4CF90B@localhost>
Hi Joey

With regards to your "Debian Security Survey" 
(http://lists.debian.org/debian-devel-announce/2002/debian-devel-
announce-200211/msg00001.html).

Thank you for giving us the opportunity to listen to our feedback on 
the issue of security updates for Potato.

We are a small ISP, but we have specialized in setting up and 
maintaining e-mail and web-servers for our customers. We currently 
have over 70 servers under maintenance running Debian Linux. Of these 
10 are running Woody, the rest are still on Potato.

Virtually all of these servers are on remote customer sites. Most of 
the Potato servers are on analogue or ISDN dial-up connections. To 
upgrade Potato to Woody requires a download of about 100mB - which is 
obviously a slow process.

We have quite a lot of carefully configured software on these 
servers. Thus we have been moving to Woody quite slowly and 
monitoring the systems for quirks in the upgrade process.

When we are happy that we are making the "best use" of Woody we will 
start upgrading these servers "on mass". I expect this to be sometime 
in January next year. Even then it will take weeks to get them all 
upgraded. There may be some that we would prefer not to upgrade at 
all due the the nature of the hardware, limited usage etc. 
Fortunately all of the dial-up boxes are on dynamic IP's which makes 
them far less vulnerable to scanning and intrusion than permanently 
connected hosts.

In addition we have one system which is running WAN router hardware 
as well as a multipoint serial card for remote dial-up access. This 
has a customized kernel (ver 2.2.19), customized advanced routing 
(using "ip route"), snmp, and a lot of scripts for monitoring and 
logging. Of course it is live 24/7 in a production environment. 
Upgrading this box is going to be a project all on its own.

We have already completed the upgrade of our main in-house webserver 
and mail servers. These were fairly big projects as they have 
customized setups, scripting etc. They also host many domains and 
many users so we had to devise strategies to complete the upgrades 
without causing too much disruption to the customers.

We have had development systems running Woody for a year or more. 

I hope the above gives you an idea what the challenges are involved 
in upgrading to Woody. I think many other people are faced with 
similar tasks. It is important to understand that the slow pace of 
the upgrades is often not due to a late start or a lack of interest, 
but rather due to a large amount of caution when working with 
production systems.

I would like to see:

-   Full security support for Potato for at least another 3 months. 

-   Limited security support for a longer period. For example it 
would be
    very nice if Debian Security could make a commitment to release
    updates for Potato, for any relevant vulnerability listed in a 
CERT
    (http://www.cert.org) advisory for a period of say 12 months. 

The idea is to at least fix remotely exploitable vulnerabilities that 
do not require the attacker to have knowledge of a local account 
password. I mentioned CERT as they seem to be very conservative. They 
do not issue advisories before the exploit has been verified and is 
deemed to be a significant risk. Thus many of the DSA's cover 
vulnerabilities which do not make it into the CERT lists. Yet a very 
large percentage of compromised servers are compromised via 
vulnerabilities that have already been published in CERT advisories 
at the time of the intrusion. As no new software has been added to 
Potato for years the actual number of security releases required to 
implement the above should not be all that large. 

Potato was the preferred stable version of Debian for a number of 
years and there must be a very large number of machines installed 
with this version of the distribution. Many of the people who 
installed Potato, chose Debian because they were installing it on 
publicly accessible production servers. Debian is probably still the 
best distribution for a stable secure Linux system. It would be 
unfortunate to disappoint those people now.

Thanks


Ian Forbes
---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------
Reply to:
Prev by Date: Re: umount Dead NFS Directory
Next by Date: Re: Postfix + SASL Authentication failed
Previous by thread: Re: umount Dead NFS Directory
Next by thread: mod_throttle in apache-ssl
Index(es):
- Date
- Thread