Weekly Edition
Return to the Security page
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Security response: how are we doing?
Linux, as a whole, has a pretty good security record. But software has
bugs, and some of those are security-related bugs, so there will always be
a need for security fixes. When a security problem arises, most of us are entirely
dependent on our distributors to package those fixes and push them out;
the number of users who can learn about security problems and build their
own replacement packages is relatively small. Security response is, thus,
an important point to consider when choosing a distribution for a specific
task.
The following table looks at a number of vulnerabilities that were disclosed, or which prompted the issuance of advisories, in recent months. In each case, the response time for a set of distributions is listed. Before reading this table, though, it is important to understand how the choices were made and what the implications are. In particular:
In the table below, a numeric entry gives the number of days since the initial disclosure, if known, or (most often) the earliest distribution advisory. An entry of "NV" indicates that the distribution was not vulnerable to the indicated problem and, thus, did not need to issue an update. If the entry reads "none," instead, the distribution is vulnerable but has not yet pushed an update.
Before launching into conclusions, your editor would like to point out that distributors have made it much easier to obtain this type of information in recent years. In many cases, it is possible to go directly to a distribution-specific page or bug-tracker entry for a given CVE number. For the most part, distributors are quite open about their exposure to specific vulnerabilities; that is exactly how it should be. Ideally, a table like the above should have no "none" entries at all. There was no distributor without unpatched vulnerabilities, but some clearly have more than others. It is, in particular, sad to see so many missing updates in the Debian column. One could argue that, say, a lack of urgency to fix an rpm vulnerability on Debian's part is understandable, but one could also argue that, if the package is not worth fixing, it probably should not be shipped in the first place. Despite being based on Debian, Ubuntu has a more complete set of updates, but the smallest number of missing updates can be found in the Red Hat and Fedora columns; Red Hat continues to be relatively serious about getting fixes out there. The best way to deal with a vulnerability, of course, is to not be vulnerable to it in the first place. It is interesting to note that the distributions with the most "not vulnerable" entries are the oldest ones (RHEL, Debian stable) and the newest ones. Distributions based on older software get to miss out on more recently introduced bugs, but they also miss the most recent fixes, some of which unknowingly close security holes. There are limits to the conclusions that can be drawn from such a small sample, but there does appear to be a difficult "middle age" for distributions where they are subject to the largest number of known vulnerabilities. Finally, we still are clearly not doing well enough. There are too many vulnerabilities in the first place, and too many of them sit unfixed for too long. The security situation is not getting any more friendly or forgiving; we cannot afford to sit back and think that the security problem is even close to being solved. A lot has been accomplished in this area, but quite a bit remains to be done. (Log in to post comments)
Vulnerability window may not start with disclosure Posted Nov 17, 2011 10:03 UTC (Thu) by epa (subscriber, #39769) [Link]
Rather than counting days since the public disclosure of the bug, wouldn't it be better to count days since the vulnerable version of the code was first shipped with the distribution?
That may be unduly pessimistic, but it is equally too optimistic to assume that a vulnerability does not exist until it is disclosed. So better to give both date ranges - the true period of vulnerability will lie somewhere between the two.
Vulnerability window may not start with disclosure Posted Nov 17, 2011 16:57 UTC (Thu) by raven667 (subscriber, #5198) [Link]
I imagine that information is harder to compile as it would mean analyzing the revision information for each bug and those results aren't already compiled whereas the disclosure date is well published. Also, it would probably be very depressing. It might be useful to get an average or median number of how many vulnerabilities are likely to be present in any system of a sufficient complexity level.
Security response: how are we doing? Posted Nov 17, 2011 16:05 UTC (Thu) by paravoid (subscriber, #32869) [Link]
I'd say that to be fair in comparison, you should probably account for the severity of each vulnerability as well, esp. compared to the response time. It's a serious problem if a zero-day remote vulnerability with an exploit in the wild is fixed in 42 days but not so if a minor potential local DoS is not fixed yet.
Debian, for example¹, is frequently postponing minor vulnerabilities to stable point releases instead of pushing them as security updates.
¹: Disclaimer: I'm a Debian Developer.
Security response: how are we doing? Posted Nov 17, 2011 16:29 UTC (Thu) by joey (subscriber, #328) [Link]
pam: One CVE does not affect pam due to the kernel version in Debian stable. One CVE does not affect the older pam in Debian stable. Debian stable is vulnerable to the last CVE however. http://bugs.debian.org/599832
kdelibs: Debian stable is not vulnerable due to containing an older KDE. http://bugs.debian.org/647298
xorg-x11: "theoretical sec impact", deferred to next point update http://security-tracker.debian.org/tracker/CVE-2010-4818
rpm: Debian systems don't have trust paths to verify digital signatures on rpms when they are eg, installed with alien, so this vulnerability is very unlikely to make dealing with rpms on Debian less secure than it already was. http://security-tracker.debian.org/tracker/CVE-2011-3378
kdelibs Posted Nov 17, 2011 16:37 UTC (Thu) by corbet (editor, #1) [Link] Regarding kdelibs, I was working from the Debian security tracker page; perhaps it needs updating?
kdelibs Posted Nov 17, 2011 17:04 UTC (Thu) by joey (subscriber, #328) [Link]
Sorry, I meant to say that one of the two CVEs does not affect stable. The other, as you note, does. (In other words, rekonq is not vulnerable, but kde4libs is.)
kdelibs Posted Nov 17, 2011 17:09 UTC (Thu) by joey (subscriber, #328) [Link]
Oops, no, I was right the first time. kde4libs in stable is too old to be vulnerable. Updating the tracker.
errata corrige Posted Nov 18, 2011 18:26 UTC (Fri) by zack (subscriber, #7062) [Link]
Hi Jonathan, thanks a lot for this article. Keeping the attention level on security issues high is indeed very important for distros.
I also know that getting this kind of data right is particularly hard, given that there is a lot of internal knowledge in distros which is not always as accessible as it should be. In spite of that, you've done a more than decent job at finding security data.
But it is also good that, in the Free world, we can improve on the basis of feedback we receive, and I'm happy to see that you've already received quite a bit of it in comments. Would you considering updating the table to reflect the factual feedback you received here? AFAICT the following changes are warranted:
- the kdelibs line should be "NV" for Debian
- the rpm line should be NV for both Debian and Ubuntu; the point is not much that both distros package RPM, but rather that the vulnerability affect a feature of RPM that is anyhow unavailable in the two distros
- I think it'd also be fair to mention that the xorg vulnerability in Debian has been postponed to the next point release on purpose; the choice is of course debatable, but making an assessment and deciding to postpone is not quite the same as being lagging behind, as the current presentation seemt to imply
Depending on how you read the above data, the "none" count for Debian would go down to either 3 or 4, the most common value for the columns of your table. Considering that, I think it'd be fair to reconsider your "it is, in particular, sad" comment.
[ Disclaimer: I'm the current Debian Project Leader. As such, my point of view can't be more biased. ]
Security response: how are we doing? Posted Nov 18, 2011 3:59 UTC (Fri) by gilbert (subscriber, #81446) [Link]
> xorg-x11: "theoretical sec impact", deferred to next point update
> http://security-tracker.debian.org/tracker/CVE-2010-4818
Note that there were actually four xorg issues involved in that update (with only two being mentioned in the Redhat/Fedora advisories), and it appears that Ubuntu is the only distro that has fixed the remaining two (as of today) [0].
Among those four, at least CVE-2011-4029 is not theoretical as there is existing exploit code in the wild [1]. That should have been enough to make this one DSA-worthy, but that didn't happen [2]. However, fortunately Debian users taking advantage of the stable-proposed-updates mechanism do have an xorg package with this fix included.
Also unfortunately, the Debian openjdk package unfortunately demonstrates the downside of voluntary software maintenance. If there is no one specifically interested and skilled enough to take care of security issues in the package, then it goes unfixed for long periods of time; whereas in a commercial distro like redhat, there is at least someone saying don't let this thing make us look bad. For example, the latest openjdk DSA, which was issued on 27 Sep 2011 fixed issues disclosed on 2 Feb 2011; a 7 month lag.
There have been talks of setting up a security foundation [4], which would establish longer-term security support for the stable releases and may involve encouragement by dangling carrots (i.e. money) in front of packages that are currently lacking interested security volunteers. Who knows if that experiment would work though since money is a very touchy subject within the Debian community.
Fortunately, it seems that there are very few packages that would fall into this security neglection category; the only other notable exception being webkit [5]. I had been working to improve that, but I simply don't have free time right now as I'm finishing my PhD dissertation.
[0] https://lwn.net/Alerts/464080
Security response: how are we doing? Posted Nov 18, 2011 14:24 UTC (Fri) by bkw1a (subscriber, #4101) [Link]
> Given that CentOS is still not issuing updates for CentOS 6, chosing that > distribution would have led to an ugly column for CentOS below.
Are numbers available for the CentOS 6 "continuous release" repository? CentOS users can enable this by typing:
yum -y install centos-release-cr
Security response: how are we doing? Posted Nov 18, 2011 17:18 UTC (Fri) by eds (guest, #69511) [Link]
Ubuntu fixed Freetype just this morning.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||