Weekly Edition
Return to the Security page
| |||||||||||||
Linux patch problems: Your distro may vary (SearchSecurity.com)
SearchSecurity.com
compares the security patch response time across a number of popular
Linux distributions.
"So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues."
(Log in to post comments)
All else is not equal Posted Jul 27, 2006 17:21 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] For example, those distros that are set up to run SELinux are often (but not always) protected against exploits that work on other distros, or limit the damage that results from exploits. The same goes for other security technologies that make buffer overflows more difficult to exploit (stack guards, address space randomization etc).
Linux patch problems: Your distro may vary (SearchSecurity.com) Posted Jul 27, 2006 18:50 UTC (Thu) by TRauMa (guest, #16483) [Link] I have to admit I'm surprised. I usually use the Gentoo Linux Security Advisories (GLSA) to judge the amount of patching I'll have to do some days later on the debian machines (when I get the DSA), yet Gentoo only manages to get two thirds the score of Debian.
So either I'm biased in some way or the selection of installed packages is very important to the measured/perceived latency between discovery and fix?
(Apart from that I have to second the post above, if you use hardened Gentoo, for example, many advisories just don't apply to you anyway).
Linux patch problems: Your distro may vary (SearchSecurity.com) Posted Jul 27, 2006 20:06 UTC (Thu) by tetromino (subscriber, #33846) [Link] Yep. One particularly egregious case I remember is awstats. When a remote sploit was discovered in awstats 6.something, Gentoo and Ubuntu both fixed it within a couple of days. Debian took a couple of months -- and leaving an exploitable cgi script unfixed for months is just insane. As a matter of fact, some Romanians did try to pwn me using the awstats bug. If I hadn't read the Gentoo security advisory and manually applied the patch on my Debian server, I would have been dead.
Linux patch problems: Your distro may vary (SearchSecurity.com) Posted Jul 27, 2006 19:57 UTC (Thu) by CyberDog (guest, #29668) [Link] I have to call shenanigans here. They're comparing apples to oranges when it comes to release cycles across distros. Gentoo, which runs cutting/bleeding edge releases is completely different from say Debian which runs relatively "old" software. You'll often be running two completely different releases of software between the two, more often than not having completely different sets of vulnerabilities. What happens when vulnerabilities are discovered in Debian's release of FF 1.0.8 when Gentoo users are already using 1.5?
Linux patch problems: Your distro may vary (SearchSecurity.com) Posted Jul 28, 2006 20:03 UTC (Fri) by nevyn (subscriber, #33129) [Link] Note only that but, even if they have the same bugs, the unstable versions are much more likely to be fixed by upstream. Whereas the stable versions will likely only be fixed by the distro.
So you might be giving a distro. a good rating for doing nothing, and giving another a worse one for pulling out all the stops to backport fixes.
nice with snapshots Posted Jul 28, 2006 21:20 UTC (Fri) by maceto (guest, #16498) [Link] se debian's kernel patching since Woody...some holes took 4+ months! so it realy depends when!! one look.
T
|
|||||||||||||