By Jonathan Corbet
November 16, 2011
Linux, as a whole, has a pretty good security record. But software has
bugs, and some of those are security-related bugs, so there will always be
a need for security fixes. When a security problem arises, most of us are entirely
dependent on our distributors to package those fixes and push them out;
the number of users who can learn about security problems and build their
own replacement packages is relatively small. Security response is, thus,
an important point to consider when choosing a distribution for a specific
task.
The following table looks at a number of vulnerabilities that were
disclosed, or which prompted the issuance of advisories, in recent months.
In each case, the response time for a set of distributions is listed.
Before reading this table, though, it is important to understand how the
choices were made and what the implications are. In particular:
- The distributions considered are CentOS 5, Debian stable ("squeeze"),
Fedora 15, openSUSE 11.4, Red Hat Enterprise Linux 5,
Scientific Linux 5 and Ubuntu 11.04. The idea was to pick a
recent release of each that is likely to have a significant number of
users. The choice of RHEL 5 (and variants) could easily be
questioned, but it is still likely to be in much heavier use than
RHEL 6. Given that CentOS is still not issuing updates for
CentOS 6, choosing that distribution would have led to an ugly
column for CentOS below.
- The vulnerabilities were chosen in an entirely non-rigorous way with
an eye toward those that might pose a real threat.
In the table below, a numeric entry gives the number of days since the
initial disclosure, if known, or (most often) the earliest distribution
advisory. An entry of "NV" indicates that the distribution was not
vulnerable to the indicated problem and, thus, did not need to issue an
update. If the entry reads "none," instead, the
distribution is vulnerable but has not yet pushed an update.
| Vuln |
C5 |
Debian |
F15 |
openSUSE |
RH5 |
SL5 |
Ubuntu |
Notes |
| apache |
16 |
0 |
17 |
3 |
2 |
2 |
3 |
|
|---|
| crypt_blowfish |
60 |
80 |
7 |
0 |
59 |
59 |
60 |
Debian only partially fixed |
|---|
| freetype |
5 |
3 |
20 |
none |
4 |
4 |
none |
|
|---|
| kdelibs |
8 |
none |
16 |
6 |
8 |
8 |
14 |
No Fedora advisory sent |
|---|
| kernel |
43 |
0 |
NV |
none |
42 |
42 |
34 |
|
|---|
| krb5 |
NV |
NV |
29 |
6 |
NV |
NV |
0 |
|
|---|
| libpng |
66 |
10 |
0 |
30 |
10 |
10 |
8 |
|
|---|
| mod_proxy |
42 |
none |
none |
57 |
42 |
42 |
64 |
|
|---|
| openjdk |
1 |
none |
2 |
10 |
0 |
1 |
none |
|
|---|
| openssl |
NV |
NV |
0 |
40 |
NV |
NV |
NV |
|
|---|
| pam |
0 |
none |
1 |
367 |
0 |
none |
210 |
|
|---|
| pam |
NV |
0 |
NV |
9 |
NV |
NV |
0 |
|
|---|
| php |
127 |
0 |
81 |
110 |
126 |
126 |
111 |
|
|---|
| quagga |
none |
7 |
20 |
20 |
none |
none |
46 |
|
|---|
| rpm |
0 |
none |
2 |
31 |
0 |
0 |
none |
Debian/Ubuntu do package RPM |
|---|
| Xorg |
15 |
none |
NV |
none |
15 |
15 |
27 |
2010 CVE; F14 still vulnerable |
|---|
Before launching into conclusions, your editor would like to point out that
distributors have made it much easier to obtain this type of information in
recent years. In many cases, it is possible to go directly to a
distribution-specific page or bug-tracker entry for a given CVE number.
For the most part, distributors are quite open about their exposure to
specific vulnerabilities; that is exactly how it should be.
Ideally, a table like the above should have no "none" entries at all.
There was no distributor without unpatched vulnerabilities, but some
clearly have more than others. It is, in particular, sad to see so many
missing updates in the Debian column. One could argue that, say, a lack of
urgency to fix an rpm vulnerability on Debian's part is understandable, but
one could also argue that, if the package is not worth fixing, it probably
should not be shipped in the first place. Despite being based on Debian,
Ubuntu
has a more complete set of updates, but the smallest number of missing updates
can be found in the Red Hat and Fedora columns; Red Hat continues to be
relatively serious about getting fixes out there.
The best way to deal with a vulnerability, of course, is to not be
vulnerable to it in the first place. It is interesting to note that the
distributions with the most "not vulnerable" entries are the oldest ones
(RHEL, Debian stable) and the newest ones. Distributions based on older
software get to miss out on more recently introduced bugs, but they also
miss the most recent fixes, some of which unknowingly close security
holes. There are limits to the conclusions that can be drawn from such a
small sample, but there does appear to be a difficult "middle age" for
distributions where they are subject to the largest number of known
vulnerabilities.
Finally, we still are clearly not doing well enough. There are too many
vulnerabilities in the first place, and too many of them sit unfixed for
too long. The security situation is not getting any more friendly or
forgiving; we cannot afford to sit back and think that the security problem
is even close to being solved. A lot has been accomplished in this area,
but quite a bit remains to be done.
Comments (11 posted)
Brief items
A conventional hacker or criminal isn't interested in any particular
target. He wants a thousand credit card numbers for fraud, or to break into
an account and turn it into a zombie, or whatever. Security against this
sort of attacker is relative; as long as you're more secure than almost
everyone else, the attackers will go after other people, not you. An APT
[Advanced Persistent Threat] is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.
APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.
--
Bruce Schneier
The US will be able to block a site's web traffic, ad traffic and search
traffic using the same website censorship methods used by China, Iran and
Syria.
--
Mozilla on the "Stop Online Piracy Act" (SOPA)
A while back Homeland Security asked Mozilla to take-down an add-on
without
a court order or a finding of liability. Under a SOPA regime, it appears
the same incident would allow the putative plaintiffs to petition the
Attorney General to issue an injunction compelling take-down based only on
a specious claim of contributory infringement. Oddly SOPA makes one really
appreciate the DMCA.
--
Harvey
Anderson, general counsel for Mozilla
We're introducing a method that lets you opt out of having your wireless
access point included in the Google Location Server. To opt out, visit your
access point's settings and change the wireless network name (or SSID) so
that it ends with "_nomap." For example, if your SSID is "Network," you'd
need to change it to "Network_nomap."
--
Google
adds a privacy option that many access point owners may find challenging to
use
Comments (43 posted)
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2011-1353
CVE-2011-2441
|
| Created: | November 15, 2011 |
Updated: | November 21, 2011 |
| Description: |
From the CVE entries:
Unspecified vulnerability in Adobe Reader 10.x before 10.1.1 on Windows allows local users to gain privileges via unknown vectors. (CVE-2011-1353).
Multiple stack-based buffer overflows in CoolType.dll in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors. (CVE-2011-2441) |
| Alerts: |
|
Comments (none posted)
cacti: SQL injection/cross-site scripting
| Package(s): | cacti |
CVE #(s): | |
| Created: | November 14, 2011 |
Updated: | November 16, 2011 |
| Description: |
Cacti version 0.8.7h fixes SQL injection issue with user login and cross-site scripting issues. The Cacti release notes provides few details.
|
| Alerts: |
|
Comments (none posted)
flash-plugin: abandon all hope
| Package(s): | flash-plugin |
CVE #(s): | CVE-2011-2445
CVE-2011-2450
CVE-2011-2451
CVE-2011-2452
CVE-2011-2453
CVE-2011-2454
CVE-2011-2455
CVE-2011-2456
CVE-2011-2457
CVE-2011-2459
CVE-2011-2460
|
| Created: | November 11, 2011 |
Updated: | November 17, 2011 |
| Description: |
From the Red Hat advisory:
Multiple security flaws were found in the way flash-plugin displayed
certain SWF content. An attacker could use these flaws to create a
specially-crafted SWF file that would cause flash-plugin to crash or,
potentially, execute arbitrary code when the victim loaded a page
containing the specially-crafted SWF content. (CVE-2011-2445,
CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454,
CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2459, CVE-2011-2460)
|
| Alerts: |
|
Comments (4 posted)
graphite2: unspecified vulnerabilities
| Package(s): | graphite2 |
CVE #(s): | |
| Created: | November 14, 2011 |
Updated: | November 16, 2011 |
| Description: |
From the Mandriva advisory:
Unspecified vulnerabilities were discovered in graphite2 concerning
specially crafted TTF fonts and which has unknown impact. As a
preemptive measure the new 1.0.3 version is being provided where this
is fixed. |
| Alerts: |
|
Comments (none posted)
lightdm: privilege escalation
| Package(s): | lightdm |
CVE #(s): | CVE-2011-3153
CVE-2011-4105
|
| Created: | November 15, 2011 |
Updated: | March 13, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that Light Display Manager incorrectly handled privileges
when reading .dmrc files. A local attacker could exploit this issue to read
arbitrary configuration files, bypassing intended permissions.
(CVE-2011-3153)
It was discovered that Light Display Manager incorrectly handled links when
adjusting permissions on .Xauthority files. A local attacker could exploit
this issue to access arbitrary files, and possibly obtain increased
privileges. In the default Ubuntu installation, this would be prevented
by the Yama link restrictions. (CVE-2011-4105)
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CVE-2011-3651
CVE-2011-3652
CVE-2011-3654
CVE-2011-3655
|
| Created: | November 10, 2011 |
Updated: | July 23, 2012 |
| Description: |
From the Mandriva advisory:
Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors (CVE-2011-3651).
The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors
(CVE-2011-3652).
The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors (CVE-2011-3654).
Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site
(CVE-2011-3655).
|
| Alerts: |
|
Comments (none posted)
ocsinventory: cross-site scripting
| Package(s): | ocsinventory |
CVE #(s): | CVE-2011-4024
|
| Created: | November 14, 2011 |
Updated: | September 24, 2012 |
| Description: |
From the CVE entry:
Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| Alerts: |
|
Comments (none posted)
openssl: provides updated library
| Package(s): | openssl0.9.8 |
CVE #(s): | |
| Created: | November 14, 2011 |
Updated: | November 16, 2011 |
| Description: |
From the Mandriva advisory:
On Mandriva Linux 2010.2 we provided the old openssl 0.9.8 library
but without a source RPM file. This could pose a security risk for
third party commercial applications that still uses the older OpenSSL
library, therefore the latest stable openssl 0.9.8r library is being
provided.
|
| Alerts: |
|
Comments (none posted)
proftpd: remote code execution
| Package(s): | proftpd-dfsg proftpd |
CVE #(s): | CVE-2011-4130
|
| Created: | November 16, 2011 |
Updated: | February 13, 2012 |
| Description: |
ProFTPD suffers from a use-after-free bug that may be exploitable by a remote attacker for arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
python-django-piston: remote code execution
| Package(s): | python-django-piston |
CVE #(s): | CVE-2011-4103
|
| Created: | November 14, 2011 |
Updated: | November 16, 2011 |
| Description: |
From the Debian advisory:
It was discovered that the Piston framework can deserialize untrusted
YAML and Pickle data, leading to remote code execution. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | November 15, 2011 |
Updated: | November 16, 2011 |
| Description: |
Wireshark 1.6.3 fixes several security bugs. See the release notes for details. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
