Re: Should we be alarmed at our state of security support?
On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote:
> On this machine, it found 472 vulnerabilities. Quite a few of them fit
> into the remotely exploitable, high urgency category. Many date back to
> last year, some as far back as 2012. I've included a few examples at
> the end.
I'm not sure what your approach to counting is, but if it is simply
"debsecan | wc -l" then you are sorely over-counting, not to mention
that vulnerability counting itself is a road to madness:
https://www.blackhat.com/us-13/briefings.html#Martin
On the over-counting topic, since security issues are tracked by
source package, debsecan can show up to 7 different binary packages or
more affected by the same CVE (for example util-linux, krb5).
Also, if you've set up multi-arch, debsecan will show the same CVE
separately for i386 and amd64 (that's a bug by the way).
> Now, it is possible with some of these that the security-tracker
> database ought to be updated to reflect that there is not a true
> vulnerability. However, many of them seem to be existing issues that
> just got forgotten somehow. I've traced a few through bug reports and such.
If you follow the secure-testing-commits list for a day, you'll see
the herculean effort the security team puts in to keeping up with the
constant deluge of new and ongoing security issues:
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
So to suggest that not enough is being done is disingenuous and insulting.
> Are we already aware of these issues?
If it's in the security tracker, then of course it is known.
> Do we have plans to fix them?
Of course everything is intended to be fixed, but without a sufficient
number of interested volunteers doing that, how is it supposed to
happen?
> Do we know what would be helpful to fix them?
More volunteers actually doing the hard and constant day to day work
that is security upkeep. Fewer distracting and obviously
ill-researched blog and mailing list posts would also be nice.
Best wishes,
Mike
Reply to: