A selective look at response times
Vulnerability Distributor Debian Fedora Gentoo Red Hat SUSE Ubuntu Apache mod_ssl -- -- -- 11 -- 12 clamav 22 -- 3 n/a -- -- evolution -- 1 13 19 -- -- fetchmail 22 0 4 4 -- 5 PCRE 13 4 14 -- 16 3 PHP XML-RPC 9 4 5 6 7 4 PHP XML-RPC 2 18 10 9 4 15 5 ProFTPd 35 -- 4 n/a -- n/a vim modeline -- 16 -- 28 -- 1
The above table lists a subset of relatively important vulnerabilities disclosed since July, 2005. Distributions marked "n/a" do not ship the vulnerable package; a marking of "--" means that the update has not, yet, been released. Missing updates can mean one of two things: (1) the distributor simply has not gotten around to releasing an update yet, or (2) the relevant package is of the second class citizen variety, such as those found in Fedora Extras or Ubuntu's Universe.
Even though the set of vulnerabilities above is relatively small, some patterns emerge. Some distributors (Fedora, Gentoo, Debian, Red Hat) have managed to close most of the listed vulnerabilities. A couple of others have fallen seriously behind, however, leaving users running vulnerable software. Some distributors tend to be quite fast in getting updates out; others are slower. Perhaps the biggest surprise is the current lag time on Debian's updates; Debian used to be one of the faster distributions to get updates out.
It is worth noting, as well, that the increasingly popular "non-core"
package repositories can be a hazard for administrators who are not paying
attention. Clamav is used as a virus filter on many sites, and the recent
vulnerability is real and exploitable. An administrator who relies upon a
distribution's update mechanism may not have noticed that, when she used
yum or apt-get to install clamav, it came from Fedora
Extras or Ubuntu Universe. As a second class citizen package, clamav will
not be updated by the distributor, and will remain vulnerable for an
unknown period of time. Any security-conscious site which uses such
packages should have a mechanism in place to note and respond to security
problems in those packages.
Posted Sep 8, 2005 6:03 UTC (Thu)
by wtogami (subscriber, #32325)
[Link] (3 responses)
http://lurker.clamav.net/message/20050725.004418.bfa9660d...
It would be nice if your article could include details and proof rather than unsubstantiated assertions.
Posted Sep 8, 2005 7:37 UTC (Thu)
by dvrabel (subscriber, #9500)
[Link] (2 responses)
Posted Sep 8, 2005 8:31 UTC (Thu)
by rahulsundaram (subscriber, #21946)
[Link] (1 responses)
Doesnt really look that way. The article claims that no updates have been released and states that this is because Fedora Extras is a second class citizen.
Rahul
Posted Sep 8, 2005 12:08 UTC (Thu)
by smoogen (subscriber, #97)
[Link]
Posted Sep 8, 2005 7:35 UTC (Thu)
by mdz@debian.org (guest, #14112)
[Link]
https://www.ubuntu.com/usn/usn-166-1
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-200...
Posted Sep 8, 2005 8:02 UTC (Thu)
by mjcox@redhat.com (guest, #31775)
[Link]
We rated the "vim modeline" issue as having a low severity which is why you see us taking 28 days (16 for Fedora). PCRE has a moderate severity, and is currently in QA. All the rest were rated important.
Missing from the list, and with the highest severity rating of critical, is the elm flaw, CAN-2005-2665. Although it's probably likely that not many users are still using elm, this flaw could allow a malicious message to run arbitrary code. (Red Hat: 3 days)
Also in August, with critical severity, we have the acroread flaws (CAN-2005-2470, same day) and gaim flaw (CAN-2005-2103, same day)
Posted Sep 8, 2005 21:19 UTC (Thu)
by cdmiller (guest, #2813)
[Link] (2 responses)
Posted Sep 10, 2005 21:18 UTC (Sat)
by roelofs (guest, #2599)
[Link] (1 responses)
Very good question. I would like to have seen Slackware in there, too. Here's my extension of the table:
(I can't swear to the n/a's, but I don't find any sign of either clamav or evolution on my 10.0 box.)
Also, to my casual reading, it looks like Debian got dinged on the second PHP one--their "real" fix appears to have come out on 29 August, which would be 14 days by my reckoning. Gentoo may also have gotten boned on PCRE (14 vs. 5 days), but I didn't look into that one.
Greg
Posted Sep 11, 2005 4:52 UTC (Sun)
by Ross (guest, #4065)
[Link]
Posted Sep 11, 2005 16:04 UTC (Sun)
by garloff (subscriber, #319)
[Link]
Posted Sep 12, 2005 18:11 UTC (Mon)
by xkahn (subscriber, #1575)
[Link]
Posted Sep 15, 2005 17:46 UTC (Thu)
by ciaranm (guest, #23243)
[Link]
Regarding Clamav in Fedora Extras, surely you must be in error?A selective look at response times
0.86.2 released July 24th
http://download.fedora.redhat.com/pub/fedora/linux/extras...
First of 0.86.2 packages July 27th
Corbet's point is that there's no Fedora security announcement for ClamAV, not that there isn't an updated package available.A selective look at response times
A selective look at response times
I agree with you on that. The article comes across as released packages not updates emailed out. A selective look at response times
The evolution bugs referred to here were fixed by Ubuntu in USN-166-1 on August 11th, 2005.Correction
Red Hat triage all incoming security issues, and that severity impact rating is then used to prioritize work on the issue through development and QA. A selective look at response times
Clicking through the alerts Mandriva has an alert and update for every vuln. Apparently they are the only vendor to do so if added to the above list. Why were they not included? To be fair they did not add their Apache mod_ssl fix till today. Still, why no Mandriva when they are all over the linked alerts?And how did Mandriva do?
Clicking through the alerts Mandriva has an alert and update for every vuln. Apparently they are the only vendor to do so if added to the above list. Why were they not included?
And how did Mandriva do?
Vulnerability Distributor
Debian Fedora Gentoo Red Hat SUSE Ubuntu Slack Mand'va
Apache mod_ssl -- -- -- 11 -- 12 14 13
clamav 22 -- 3 n/a -- -- n/a 4
evolution -- 1 13 19 -- -- n/a 7
fetchmail 22 0 4 4 -- 5 2 7
PCRE 13 4 14 -- 16 3 11 9
PHP XML-RPC 9 4 5 6 7 4 11 -1
PHP XML-RPC 2 18 10 9 4 15 5 16 7
ProFTPd 35 -- 4 n/a -- n/a -- 18
vim modeline -- 16 -- 28 -- 1 -- 28
What would be nice is if the article were updated with those additional data and the corrections posted in the other threads...And how did Mandriva do?
To give a fair assessment of the delays, some more research on n/a A selective look at response times
would be useful.
I happen to know that SUSE is not affected by the ProFTP problem
(this pile of vulnerabilities is not shipped any more since long)
and not really by the vim modelines (because these are disabled by
default on request of the security team).
Should the security team send out not affected messages every time
to get the statistics out there looking better? At least for the
ProFTP problem, such a statement does not provide any value to the
customers -- it's obvious to them that this package is not installed
on their machine.
The SUSE column is missing updates
SUSE
Apache mod_ssl 14 (a day too late for this article)
clamav 1
evolution --
fetchmail 6
PCRE 16
PHP XML-RPC 7
PHP XML-RPC 2 15
ProFTPd n/a
vim modeline n/a (*)
(*) We have modelines disabled by default for quite some time, so users will not be affected. It will be fixed in the next versions.
I don't know why you think Gentoo hasn't fixed Vim modelines... It was fixed within two days, but no GLSA was issued because we have modelines disabled by default. Had the author done basic fact checking or contacted the relevant people, he would already know this...A selective look at response times