We recently posted a brief item
about an Apache vulnerability
which has the potential to be remotely
exploitable. A number of distributors have responded to this vulnerability
with the appropriate updates, but there is no update for Red Hat Enterprise
Linux. Thanks to a helpful
, we know that this is not a case of Red Hat letting its
customers down; instead, RHEL is simply not vulnerable to this particular
bug. Since there is no need for an update, none has been issued.
In this case, RHEL users can get information about this (non-)
vulnerability from the Red Hat knowledge
base - as long as they don't mind the disclaimer that "Red Hat
makes no express or implied claims to its validity." In general,
however, it remains difficult for users of any distribution to determine
whether their installed systems are exposed to any specific vulnerability.
The release of an update generally provides a positive answer, but, until
that update comes out, users do not know for sure. Linux distributors
would do well for their users by providing this information in an
As it happens, there are a couple of distributions which do make some
- Fedora maintains a
list of CVE numbers, along with comments on whether the
distribution is vulnerable or not. It fails the "easily found" test,
however: the list is maintained as a text file in a CVS repository,
and one must go into the CVS web interface to see it. But, once one
knows about the file, it is easy to pull it up and get information on
specific problems. For the Apache problem, Fedora was indeed
vulnerable, and the problem was fixed via a backport.
- Some time back, LWN received a somewhat indignant message to the
effect that we should have looked up a vulnerability in the Debian Security Bug Tracker.
There is a lot of good information there on specific vulnerabilities;
page (for the same Apache vulnerability) notes that stable has
been fixed, but that testing and unstable are vulnerable.
This tracker also fails the "easily found" test: it is not hosted
under a debian.org domain, and there is no mention of it on the Debian security
information or security FAQ
pages. A determined user can find a non-vulnerabilities
page which has some useful information, but it does not have the full
Most of the time, Linux distributors do a high-quality job of tracking and
responding to vulnerabilities. It is rare that users of a high-profile
distribution remain without updates for serious vulnerabilities for any
serious period of time. They could help their users a bit more, however,
if they were to make more of their tracking information available. More
visibility into the system will increase confidence that problems are being
addressed - especially in cases where a distribution is not vulnerable and
the problem does not exist in the first place.
to post comments)