[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote:
> On this machine, it found 472 vulnerabilities.  Quite a few of them fit
> into the remotely exploitable, high urgency category.  Many date back to
> last year, some as far back as 2012.  I've included a few examples at
> the end.

I'm not sure what your approach to counting is, but if it is simply
"debsecan | wc -l" then you are sorely over-counting, not to mention
that vulnerability counting itself is a road to madness:

On the over-counting topic, since security issues are tracked by
source package, debsecan can show up to 7 different binary packages or
more affected by the same CVE (for example util-linux, krb5).

Also, if you've set up multi-arch, debsecan will show the same CVE
separately for i386 and amd64 (that's a bug by the way).

> Now, it is possible with some of these that the security-tracker
> database ought to be updated to reflect that there is not a true
> vulnerability.  However, many of them seem to be existing issues that
> just got forgotten somehow.  I've traced a few through bug reports and such.

If you follow the secure-testing-commits list for a day, you'll see
the herculean effort the security team puts in to keeping up with the
constant deluge of new and ongoing security issues:

So to suggest that not enough is being done is disingenuous and insulting.

> Are we already aware of these issues?

If it's in the security tracker, then of course it is known.

> Do we have plans to fix them?

Of course everything is intended to be fixed, but without a sufficient
number of interested volunteers doing that, how is it supposed to

> Do we know what would be helpful to fix them?

More volunteers actually doing the hard and constant day to day work
that is security upkeep.  Fewer distracting and obviously
ill-researched blog and mailing list posts would also be nice.

Best wishes,

Reply to: