Re: Should we be alarmed at our state of security support?
Hi John,
On Wed, February 18, 2015 15:11, John Goerzen wrote:
> Hi folks,
>
> So I recently downloaded and installed debsecan on several of my
> machines. These are all fully up-to-date machines, running either
> wheezy or jessie. For now I'll just focus on wheezy since it's where
> our security focus should go.
>
> On this machine, it found 472 vulnerabilities. Quite a few of them fit
> into the remotely exploitable, high urgency category. Many date back to
> last year, some as far back as 2012. I've included a few examples at
> the end.
>
> Now, it is possible with some of these that the security-tracker
> database ought to be updated to reflect that there is not a true
> vulnerability. However, many of them seem to be existing issues that
> just got forgotten somehow. I've traced a few through bug reports and
> such.
>
> I wonder:
>
> Are we already aware of these issues?
>
> Do we have plans to fix them?
>
> Do we know what would be helpful to fix them?
Yes, we know about those issues. That's why debsecan reports them to you
in the first place. A good place to learn more about an issue is to
actually follow the links you pasted at the bottom of your email. There
you can e.g. see a motivation for why libtiff4 is not that urgent to fix,
similar for php5 and the useful note that clamav will be fixed through
wheezy-updates and not wheezy-security (it's currently in the srm queue).
If you are alarmed by the output of debsecan, it may be because the tool
lacks the nuance that is represented in the tracker and does not expose
the information above. Of the many issues coming in every day, there's
many shades of impact and priority.
A good start to direct your efforts may be to enhance debsecan to be more
precise in what it presents.
Another improvement could be to reconsider how informative the NVD
severity actually is in practice or whether we should avoid displaying it.
Cheers,
Thijs
Reply to: