Re: security support for squeeze?

To: Julien Cristau <jcristau@debian.org>
Cc: team@security.debian.org, debian-release@lists.debian.org
Subject: Re: security support for squeeze?
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 12 Nov 2010 14:58:01 +0100
Message-id: <[🔎] 20101112135801.GA2879@galadriel.inutil.org>
In-reply-to: <[🔎] 20101109214521.GV4770@radis.liafa.jussieu.fr>
References: <[🔎] 20101109214521.GV4770@radis.liafa.jussieu.fr>

On Tue, Nov 09, 2010 at 10:45:21PM +0100, Julien Cristau wrote:
> Hi,
> 
> I'm trying to figure out what we need for security support for squeeze.
> One blocker I know of is the dak upgrade on security-master, are there
> other things needed on the security team's side?

The dak update is the most important.

> The release notes also need an update regarding security support.  We
> currently have the following text:
> 
> > <section id="mozilla-security" condition="fixme">
> > <title>Security status of Mozilla products</title>
> > <para>
> > <indexterm><primary>Mozilla</primary></indexterm>
> > The Mozilla programs <systemitem role="package">firefox</systemitem>, 
> > <systemitem role="package">thunderbird</systemitem>, and
> > <systemitem role="package">sunbird</systemitem> (rebranded in Debian to
> > <systemitem role="package">iceweasel</systemitem>, <systemitem
> > role="package">icedove</systemitem>, and <systemitem 
> > role="package">iceowl</systemitem>, respectively), are important tools for
> > many users.  Unfortunately the upstream security policy is to urge users to
> > update to new upstream versions, which conflicts with Debian's policy of not
> > shipping large functional changes in security updates.  We cannot predict it
> > today, but during the lifetime of &releasename; the Debian Security Team may come to a
> > point where supporting Mozilla products is no longer feasible and announce the
> > end of security support for Mozilla products.  You should take this into
> > account when deploying Mozilla and consider alternatives available in Debian if
> > the absence of security support would pose a problem for you.
> > </para>
> > <para>
> > <systemitem role="package">iceape</systemitem>, the unbranded version
> > of the <systemitem role="package">seamonkey</systemitem> internet
> > suite has been removed from &releasename; (with the exception of a few
> > internal library packages).
> > </para>
> > </section>
> 
> I suspect that this is still valid (excluding the part about iceape,
> which is back in squeeze).  

It's still valid, but I'll leave this to Mike Hommey (added to CC)

> Should we add a blurb about the webkit-based
> browsers (epiphany, chromium, konqueror, others?)?  If so would anybody
> like to propose wording?

I'll leave the final formulation to someone else, but here's my personal
take on the state of browser security support for Squeeze:

- The webkit in QT4 isn't suitable for security-sensitive browsing, I don't 
see any systematic work or visible security support from Nokia. It's unlikely
that there will be any updates.

- Given that there's a three digit number of vulnerabilities in webkit
per year and no long term maintenance branch, it'll probably be swamped
by open security issues at some point. Gustavo and Michael will likely be
able to support it for some time, but I'm pessimistic in the long term, since
webkit development seems fairly dynamic. Since several apps are using it,
it will be difficult to update it to a new upstream release.

- khtml (the engine behind Konqueror) doesn't seem to have active upstream
security support these days.

- chromium has the same amount of vulnerabilities as webkit. It might also
come to a point were security issues are impossible to backport, but in
contrast to webkit it has the benefit of being a leaf package, which could
be updated to a newer upstream release if needed. Someone should give Guiseppe
a hand, though, to distribute the load to more shoulders.

> > <section id="webservice-security" condition="fixme">
> > <title>Security status of OCS Inventory and SQL-Ledger</title>
> > <para>
> > <indexterm><primary>OCS Inventory</primary></indexterm>
> > <indexterm><primary>SQL-Ledger</primary></indexterm>
> > The webservice packages <systemitem
> > role="package">ocsinventory-server</systemitem> and <systemitem
> > role="package">sql-ledger</systemitem> are included in the &releasename;
> > release but have special security requirements that users should be aware of
> > before deploying them.  These two webservices are designed for deployment
> > only behind an authenticated HTTP zone and should never be made available to
> > untrusted users; and therefore they receive only limited security support
> > from the Debian security team.  Users should therefore take particular care
> > when evaluating who to grant access to these services.
> > </para>
> > </section>
> 
> Has this changed (I guess not)?  Are there other webapps in this
> category?

All current packages with a limited scope are listed in in SVN:
http://svn.debian.org/wsvn/secure-testing/data/package-tags

kfreebsd should be fully supported by now, likewise clamav again.

The rest remains the same and is documented in README.Debian.security
or README.Debian. I'm not sure if they need to be added to the release 
notes, though. E.g., no sane company would run their accounting on a public
server anyway.

> Finally, are there other packages we know have limited security support,
> and should be mentioned there?

I currently cannot think of any. They usually only show when it's too late :-)

Cheers,
        Moritz

Reply to:

References:
- security support for squeeze?
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#603274: unblock: cups/1.4.4-7
Next by Date: preapproval for ikiwiki 3.20100815.2 via t-p-u
Previous by thread: Re: security support for squeeze?
Next by thread: pre-approval of OOo 3.2.1-8 with fix for #572535
Index(es):
- Date
- Thread