[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

On 02/19/2015 12:25 AM, Michael Gilbert wrote:
> On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote:
>> On this machine, it found 472 vulnerabilities.  Quite a few of them fit
>> into the remotely exploitable, high urgency category.  Many date back to
>> last year, some as far back as 2012.  I've included a few examples at
>> the end.
> I'm not sure what your approach to counting is, but if it is simply
> "debsecan | wc -l" then you are sorely over-counting, not to mention
> that vulnerability counting itself is a road to madness:
> https://www.blackhat.com/us-13/briefings.html#Martin

Indeed, I understand that.  I perhaps used imprecise language.  "472
*REPORTED* vulnerabilities" then.

However, part of what I was trying to figure out here is: do we have a
lot of unpatched vulnerabilities in our archive?  Whether there were 472
or 100 issues on my particular machine is somewhat beside the point.

At the moment, I am not really sure what the answer is.  Perhaps none of
those issues are unpatched vulnerabilities.  However, debsecan is a very
useful concept, but if it sends me an email every day listing 472 things
that I do not need to pay attention to, then the utility of the tool is
*completely* ruined.  Not to mention, we have misleading information in
the security tracker.

Several of the things we've discussed people are saying are not really
issues in wheezy.  Perhaps there are even comments in the
security-tracker to that effect.  But the security-tracker lists wheezy
as vulnerable on the webpage and the database behind it.  Either the
comments are wrong or the database is.  So some of this may just be a
policy issue of "what do we put in the database?"  Maybe we need a field
saying "vulnerability exists in source but is not exploitable in
binaries as shipped" or something.

>> Now, it is possible with some of these that the security-tracker
>> database ought to be updated to reflect that there is not a true
>> vulnerability.  However, many of them seem to be existing issues that
>> just got forgotten somehow.  I've traced a few through bug reports and such.
> If you follow the secure-testing-commits list for a day, you'll see
> the herculean effort the security team puts in to keeping up with the
> constant deluge of new and ongoing security issues:
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
> So to suggest that not enough is being done is disingenuous and insulting.

Whoa, hold on a second there.  That doesn't make any sense.

I know that it is a tremendous effort to keep up with all this stuff,
and I have a tremendous respect and appreciation for everyone that does

But it is possible that even though everyone is working extremely hard,
STILL not enough is being done.

It may mean that the team needs more manpower, or better tools, or
whatever.  I find it very puzzling that you would say that just because
people are working very hard, therefore it is insulting to question
whether enough is being done, as if whenever someone is working very
hard they don't need any more help.

You will note that I very carefully made sure to put no blame on anyone
in my original message, and also explicitly asked if there are areas
where people need help.

>> Are we already aware of these issues?
> If it's in the security tracker, then of course it is known.

I meant, "are we already aware that debsecan reports hundreds of
vulnerabilities on patched systems?"  And that this does not appear to
be a bug in debsecan.

>> Do we have plans to fix them?
> Of course everything is intended to be fixed, but without a sufficient
> number of interested volunteers doing that, how is it supposed to
> happen?


>> Do we know what would be helpful to fix them?
> More volunteers actually doing the hard and constant day to day work
> that is security upkeep.  Fewer distracting and obviously
> ill-researched blog and mailing list posts would also be nice.

You know, Mike, *explicit* in my original email was a question of what
help is needed.  I was willing to pitch in and help.  I may still be.

But how else is someone going to learn that when security-tracker says
"vulnerable", in hundreds of instances, that may be wrong, other than by
asking?  I didn't find this documented anywhere.

To be insulting to someone that asked a polite question about "why does
debsecan show hundreds of vulnerabilities on an up-to-date system" -- a
GOOD question -- is frankly astonishing.

Rather than insulting those that might jump in to help, you might send
links to information on how to pitch in and be of assistance.  Frankly
if the security team is going to be this prickly, the costs of dealing
with personalities will eat up too much of my time and drain the
satisfaction out of doing something useful for me.


Reply to: