Re: Should we be alarmed at our state of security support?

To: John Goerzen <jgoerzen@complete.org>
Cc: debian-security <debian-security@lists.debian.org>
Subject: Re: Should we be alarmed at our state of security support?
From: Michael Gilbert <mgilbert@debian.org>
Date: Thu, 19 Feb 2015 01:25:50 -0500
Message-id: <[🔎] CANTw=MOTHu8uHQcW75aGy110Sxm8c5JJpezNbeSuGSmYtQUrPw@mail.gmail.com>
In-reply-to: <[🔎] 54E49DA6.7050306@complete.org>
References: <[🔎] 54E49DA6.7050306@complete.org>

On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote:
> On this machine, it found 472 vulnerabilities.  Quite a few of them fit
> into the remotely exploitable, high urgency category.  Many date back to
> last year, some as far back as 2012.  I've included a few examples at
> the end.

I'm not sure what your approach to counting is, but if it is simply
"debsecan | wc -l" then you are sorely over-counting, not to mention
that vulnerability counting itself is a road to madness:
https://www.blackhat.com/us-13/briefings.html#Martin

On the over-counting topic, since security issues are tracked by
source package, debsecan can show up to 7 different binary packages or
more affected by the same CVE (for example util-linux, krb5).

Also, if you've set up multi-arch, debsecan will show the same CVE
separately for i386 and amd64 (that's a bug by the way).

> Now, it is possible with some of these that the security-tracker
> database ought to be updated to reflect that there is not a true
> vulnerability.  However, many of them seem to be existing issues that
> just got forgotten somehow.  I've traced a few through bug reports and such.

If you follow the secure-testing-commits list for a day, you'll see
the herculean effort the security team puts in to keeping up with the
constant deluge of new and ongoing security issues:
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

So to suggest that not enough is being done is disingenuous and insulting.

> Are we already aware of these issues?

If it's in the security tracker, then of course it is known.

> Do we have plans to fix them?

Of course everything is intended to be fixed, but without a sufficient
number of interested volunteers doing that, how is it supposed to
happen?

> Do we know what would be helpful to fix them?

More volunteers actually doing the hard and constant day to day work
that is security upkeep.  Fewer distracting and obviously
ill-researched blog and mailing list posts would also be nice.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>

References:
- Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: Missing tiff3 patch in security repo
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Re: Should we be alarmed at our state of security support?
Next by thread: Re: Should we be alarmed at our state of security support?
Index(es):
- Date
- Thread