LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

An incredible number of security advisories for Monday

[Posted November 12, 2007 by jake]

Debian has updated zope-cmfplone (arbitrary code execution), horde3 (multiple vulnerabilities), zope-cmfplone (again, a fix for the previous fix).

Fedora 7 has updated hugin (arbitrary file overwrite via insecure tmpfile creation), tomboy (arbitrary code execution via untrusted library search path), xpdf (multiple vulnerabilities), koffice (multiple vulnerabilities), inotify-tools (arbitrary code execution via buffer overflow), cups (multiple vulnerabilities), mono (arbitrary code execution via buffer overflow), Django (denial of service).

Fedora 8 has updated kdegraphics (arbitrary code execution), xpdf (multiple vulnerabilities), openldap (multiple vulnerabilities), Django (denial of service), koffice (multiple vulnerabilities).

Foresight has updated pcre (multiple arbitrary code execution vulnerabilities), libpng (multiple denial of service vulnerabilities), perl (arbitrary code execution), ImageMagick (multiple arbitrary code execution vulnerabilities), pidgin (denial of service), ruby (insufficient SSL certificate verification), perl (another arbitrary code execution).

Red Hat has updated kdegraphics (RHEL4 and RHEL5) (multiple arbitrary code execution vulnerabilities).

Slackware has updated php (multiple vulnerabilities), php (again, a fix for the previous fix), xpdf, poppler, koffice, kdegraphics (multiple vulnerabilities).

(Log in to post comments)

An incredible number of security advisories for Monday

Posted Nov 12, 2007 22:48 UTC (Mon) by Zenith (subscriber, #24899) [Link] 

Is it just me, or have the headlines for the security updates started to take on a life of
their own?

"an incredible number", "huge pile", "massive amount" etc. seems to be the line that is being
established.

I know the old-school "Security updates for <weekday-name>day" gets rather dull, but I find
these other variants slightly annoying.

Might just be me though?

An incredible number of security advisories for Monday

Posted Nov 12, 2007 23:07 UTC (Mon) by ncm (subscriber, #165) [Link] 

More than one is a pile, and a disgrace.  Ten is a huge pile, and an indictment.  If you want
to be annoyed, be annoyed at the bugs, not at reporting on the bugs.  And then do something
about preventing the next round.

An incredible number of security advisories for Monday

Posted Nov 13, 2007 0:20 UTC (Tue) by sbergman27 (subscriber, #10767) [Link] 

No.  The fact that non-Windows OSes tend to involve less risk for the end user makes some of
us particularly sensitive to the security issue.  It's one our crown jewels.

But security is but one of many considerations in software development.  To achieve a level of
security quality that would result in <= 1 security advisory per day, over the absolutely
*vast* array of code, including many versions of the same package, that goes into the many
distros on which these things are reported, I'm pretty sure that we would have to give up more
features than most of us would be comfortable giving up.

I know it is fashionable to take a glib and critical stance on this matter.  But in reality,
we do just what MS does.  We balance features and development speed against security.  The
tipping point is in a different place.  That's all.

But I think RedHat/Fedora get it right.  Better to aggressively put good generalized security
safety nets in place, and then develop the features full speed ahead, giving security due
consideration and fixing potential issues as they are reported.  Exec-shield, SELinux,
FORTIFY_SOURCE, and other prudent precautions make many of these silly buffer overflows and
whatnot unexploitable.

But that bit rarely gets reported.

An incredible number of security advisories for Monday

Posted Nov 13, 2007 10:32 UTC (Tue) by nix (subscriber, #2304) [Link] 

Well, this ten would be half the size if everyone dynamically linked to poppler rather than
statically including most of xpdf all over the bloody place.

An incredible number of security advisories for Monday

Posted Nov 13, 2007 10:12 UTC (Tue) by wingo (subscriber, #26929) [Link] 

I find it amusing. Also it's pleasing that media libraries (xine, mplayer, gstreamer, vlc) are
not on these lists as much as they used to be.

An incredible number of security advisories for Monday

Posted Nov 13, 2007 13:47 UTC (Tue) by danielhedblom (guest, #47307) [Link] 

I really dont think many reports is a bad thing. OSS releases vulnerabilities in a very
different way than closed source. Whats needed is to educate people in the differences of open
reporting and to just report holes when someone actively uses them, sometimes not even then
but a sneak fix in another patch.

An incredible number of security advisories for Monday

Posted Nov 13, 2007 15:42 UTC (Tue) by mrjk (subscriber, #48482) [Link]

Yes, the way these are reported multiplies the number. Every distribution that patches the same program gets a separate mention. Not that this is a bad thing, if you have one distribution you are following, which is probably most admins. But the general reader (like me) loses track over the weeks because the same bug shows up many times. I think the way it is is the better way, better to be complaining about seeing some issue, then to miss it.

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds