Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
Vulnerabilities and alerts in 2002
One of the advantages to having a site built on a real database is that you
can use it to generate nifty tables. When we ran a list of vulnerabilities
and alerts one year ago, the whole thing was
generated by hand. Life is easier this time around.
...at least, if you're not concerned with keeping your systems secure. The following table, which covers the second half of 2002, contains 119 separate vulnerabilities, and well over 300 alerts. As much as we like to say that free software is more secure, the table below makes it clear that it is not anywhere near secure enough. On the other hand, it's worth pointing out that almost none of the vulnerabilities listed below have, to our knowledge, been exploited on any kind of scale. Most of these problems have been found (and fixed) by developers proactively auditing the code; in general, the fixes seem to get out to most users in time to avoid widespread problems. Many of these vulnerabilities are, most likely, relatively hard to exploit. The table reveals some of the limitations of our security database. If a vulnerability has no alerts from a particular distributor, it does not necessarily mean that said distributor never got around to fixing the problem. In many cases, the distributor did not ship a vulnerable version of the affected program, and thus did not need to put out an update.
(Log in to post comments)
Vulnerabilities and alerts in 2002 Posted Feb 6, 2003 16:40 UTC (Thu) by smoogen (subscriber, #97) [Link] Wow using the logic I had presented to me about distros.. Debian and Gentoo are the most insecure from last year since they had the most fixes. Expect press releases and news reports in a week or two by pundits at ZDnet.Sigh.. the truth of the matter is that the more applications you ship, the larger the number of points of failure you have. A seperate page should probably set up for number of vulnerabilities against the Core/Minimal OS and the number of fixes.
Vulnerabilities and alerts in 2002 Posted Feb 6, 2003 20:49 UTC (Thu) by pradu (guest, #4323) [Link] I think that Debian, far from being the most insecure, is the one with the biggest package list, and also one of the most active in sending timely updates to security problems.So, I tend to think that the less security fixes a distro ships, the less secure a distro is :). Just MHO, of course.
Vulnerabilities and alerts in 2002 Posted Feb 6, 2003 16:43 UTC (Thu) by taniwha (guest, #49) [Link] Ooh, pretty patterns :) Makes me think of the game of life, which I guess this kind of is: the life and death of vulnerabilities in the linux world.
Vulnerabilities and alerts in 2002 Posted Feb 6, 2003 19:12 UTC (Thu) by taruntius (guest, #1140) [Link] Somebody help me understand the huge disparity in the number of green dots for KDE vs. different distributions, compared to the fact that GNOME doesn't even have a line-item in the table. Being pretty new to modern linux systems (most of my experience dates back to 1.2.13. Hey, stop laughing!), and being at a point in a new software project where I have to decide things like whether to use KDE or GNOME to do my GUI, I could really use some help understanding this. Thanks!
Vulnerabilities and alerts in 2002 Posted Feb 6, 2003 20:32 UTC (Thu) by Peter (guest, #1127) [Link] Being pretty new to modern linux systems (most of my experience dates back to 1.2.13. Hey, stop laughing!) Not laughing - I'm in more or less the same boat, but not back as far. Tried the whole GNOME thing a couple years ago, thought Enlightenment was buggy and confusing, went back to fvwm. Now I have a GNOME toolbar under fvwm, but I don't use it much. But for developer support, I have to say GTK+ and the GNOME library set are not bad. I just finished my first major GUI effort, using Perl-GTK and Glade. Not without snags - Perl-GTK is somewhat poorly documented and there are certain bugs in it that will probably cause me to rewrite a certain minor module in C, and the Perl/Glade interface had one glaring bug I had to fix (with a kludge) before I continued - but I gotta say, that Glade business is slick; I got off the ground in no time flat. This is with GTK 1.2 - I hear there is a new Perl module for GTK 2.0 that's under heavy development. Haven't investigated it yet. KDE I haven't even looked at from a developer standpoint, because it is based on Qt which is C++-specific. I understand there are KDE bindings to other languages, but I also understand these other languages are second-class citizens. If you use C++ or a close relative, chances are KDE and Qt will be good to you. If you want complete freedom in language choice, GNOME and GTK seem to be where it's at. ok.. Your question is about security alerts for KDE vs GNOME. I'm not sure why there should be this disparity, but I think it's an issue of packaging. Both KDE and GNOME come with core libraries, auxilliary libraries, core applications, and auxilliary applications. A specific GNOME or KDE release comprises the core libraries and apps, and "everything else" just tries to stay more or less up-to-date with core library API usage, UI recommendations and other trends. I think the difference is that the core of the GNOME libs and apps is smaller (relative to the whole thing) than that of the KDE libs and apps - KDE tends to encompass more applications in each release, while GNOME tends to let most projects release their own apps on their own time scale. Thus, with security alerts, something affecting a KDE app is more likely to be filed under "KDE" whereas something affecting GNOME will be filed under "scrollkeeper" or "gaim" or "ethereal" or "evolution". That's just a guess, though.
Vulnerabilities and alerts in 2002 Posted Feb 8, 2003 15:23 UTC (Sat) by ghane (subscriber, #1805) [Link] The particular issue of KDE and Debian is that Debian ships the KDE "set" in multiple packages; kdebase, kdelibs, kdecrypt, etc. So there were multiple announcements over 2 days as each of this was "upgraded", for the same issue.--
|
|
||||||||||||
