[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-team] Vulnerabilities not affecting Debian: reporting proposal

Alexander Konovalenko on 2007-07-11 16:59:00 +0400:

> When I maintain a secure machine, I naturally want to keep it secure
> against known attacks. I subscribe to Bugtraq and a CVE-compatible
> vulnerability database and watch them closely for anything that could
> affect my machine. When an advisory that potentially affects my
> machine is published, I try to react appropriately before it is fixed
> in the distribution (for our purposes here, the distribution is either
> Debian stable or testing), and then I look forward for the
> distribution to issue a patch.


> The problem is with investigating the vulnerability independently. I'm
> not an expert and have other things to do. Determining whether my
> distribution is affected by a bug is not trivial. It's not enough to
> try a published exploit or compare the relevant part of the source.
> Without a deeper understanding of the vulnerability and its context, I
> can't tell whether the exploit doesn't work because my version is
> immune or because the exploit should be modified slightly for my
> version. And all that is just duplicate effort: the security team has
> most certainly done the same research more accurately than I could
> ever do.

I can't speak for the security team, but the testing security team could
always use more people doing what you apparently already do - determine
which new CVEs affect Debian and find ways to get those issues fixed.
Head over to http://security-tracker.debian.net/tracker/data/report to
find out how you can contribute.

Much of the infrastructure you mentioned is already in place.  The
testing security team keeps a list of CVEs and short descriptions of how
(if at all) each affects Debian as well as information like versions in
which the issue is fixed, bug numbers, and severity indicators.  It's
kept in plain-text in a publicly-viewable svn repository, but there are
other ways to view the information.  At
http://security-tracker.debian.net/ you can look up the status of
different packages, CVEs, and security bug numbers.  Also, the Debian
Security Analyzer (package debsecan) will alert you to vulnerable
packages on that system using the security-tracker data.

Reply to: