LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Is my distribution vulnerable?

[Posted August 2, 2006 by corbet]

We recently posted a brief item about an Apache vulnerability which has the potential to be remotely exploitable. A number of distributors have responded to this vulnerability with the appropriate updates, but there is no update for Red Hat Enterprise Linux. Thanks to a helpful comment, we know that this is not a case of Red Hat letting its customers down; instead, RHEL is simply not vulnerable to this particular bug. Since there is no need for an update, none has been issued.

In this case, RHEL users can get information about this (non-) vulnerability from the Red Hat knowledge base - as long as they don't mind the disclaimer that "Red Hat makes no express or implied claims to its validity." In general, however, it remains difficult for users of any distribution to determine whether their installed systems are exposed to any specific vulnerability. The release of an update generally provides a positive answer, but, until that update comes out, users do not know for sure. Linux distributors would do well for their users by providing this information in an easily-found location.

As it happens, there are a couple of distributions which do make some information available:

  • Fedora maintains a list of CVE numbers, along with comments on whether the distribution is vulnerable or not. It fails the "easily found" test, however: the list is maintained as a text file in a CVS repository, and one must go into the CVS web interface to see it. But, once one knows about the file, it is easy to pull it up and get information on specific problems. For the Apache problem, Fedora was indeed vulnerable, and the problem was fixed via a backport.

  • Some time back, LWN received a somewhat indignant message to the effect that we should have looked up a vulnerability in the Debian Security Bug Tracker. There is a lot of good information there on specific vulnerabilities; the CVE-2006-3747 page (for the same Apache vulnerability) notes that stable has been fixed, but that testing and unstable are vulnerable.

    This tracker also fails the "easily found" test: it is not hosted under a debian.org domain, and there is no mention of it on the Debian security information or security FAQ pages. A determined user can find a non-vulnerabilities page which has some useful information, but it does not have the full story.

Most of the time, Linux distributors do a high-quality job of tracking and responding to vulnerabilities. It is rare that users of a high-profile distribution remain without updates for serious vulnerabilities for any serious period of time. They could help their users a bit more, however, if they were to make more of their tracking information available. More visibility into the system will increase confidence that problems are being addressed - especially in cases where a distribution is not vulnerable and the problem does not exist in the first place.

(Log in to post comments)

Is my distribution vulnerable?

Posted Aug 3, 2006 3:59 UTC (Thu) by k8to (subscriber, #15413) [Link]

This problem with locating the resource of the debian security bug
tracker is quite typical for debian. The main web page of the project is
famously useless.

The main web page has a news page which rarely ever lists any useful
news, only major releases and updates of stable, which are rarely of
significant importance. There are few pointers to external resources,
and basically no support for users of testing and unstable, which despite
the periodic protestations of the project represent the majority of
Debian users.

It is not really hard to understand, as Debian largely moves forward via
committee, discussion, and interest groups, while web pages tend to be
centrally or individually managed. There simply has not developed a
smooth process for the main debian.org pages to be maintained and
updated, and thus they are not very useful. The debian wiki by contrast
has been steadily been becoming more useful. Perhaps in the long run it
may become more generally used by the project.

Is my distribution vulnerable?

Posted Aug 4, 2006 17:45 UTC (Fri) by kreutzm (subscriber, #4700) [Link]

Moving to the wiki would have the negative side effect of less translated content. I think highly dynamic content (like working on release issues) should go into a wiki, while more official content should remain or go onto the web page (e.g., the official security anouncements are rather static, at least after the last typos have been fixed, and are typically translated into several languages).

The problem is, that many services are tried out on external sites (like debian.net) and only if prooven succesful and managable are getting integrated into the main web infrastructure. Further my impression is, as a web translator for Debian, that many people don't like to think about proper inclusion of their content into the web pages. Also size doesn't help - touching the web portal of a major distribution might scare many people off ...

Is my distribution vulnerable?

Posted Aug 13, 2006 21:44 UTC (Sun) by dirtyepic (subscriber, #30178) [Link]

Yes, because I know I'd run away arms flailing madly should any unsuspected change befall my distro's home page...

Is my distribution vulnerable?

Posted Aug 3, 2006 9:31 UTC (Thu) by mjcox@redhat.com (subscriber, #31775) [Link]

The announcement and co-ordination of this bug was done through both CERT and NISCC. Both solicited and published statements from vendors. When writing the Apache announcement text we included a direct link to the CERT knowledgebase entry, that entry contains the official statements from projects such as Fedora, Red Hat, and so on. We also mentioned in the Apache Announcement text that not all distributions of Apache would be vulnerable.

So as well as a knowledgebase article, the statement from Red Hat is only two clicks away from the Apache announcement.

We're also currently trialling putting vendor statements directling to the National Vulnerability Database; so for example if you saw this issue was CVE-2006-3747 you'd visit the Mitre CVE database and link to the top left of the page takes you to
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3747 which has a Red Hat statement.

Other suggestions welcomed :)

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds