LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Linux security in 2003

[Posted December 23, 2003 by corbet]

Here in the free software world, we had no shortage of security problems in 2003. Vulnerabilities were announced in many packages, including (but not limited to) apache (several), balsa, bind, bugzilla, cdrecord, cfengine, cron, cups, cvs, ethereal (many), evolution, exim, fetchmail (many), fileutils, gdm, ghostscript, glibc, gnupg, gzip, hylafax, inetd, iproute, KDE, kerberos, kernel (several), lprng, lsh, lynx, mailman, man, mozilla, mpg123, mplayer, mutt, MySQL, openssh, openssl (several), perl, pine, PHP, postfix, PostgreSQL, proftpd, python, rsync, samba, screen, sendmail, snort, stunnel, sudo, tcpdump, vim, webmin, wget, wu-ftpd, xchat, XFree86, xinetd, xpdf, and zlib. All told, 304 entries were added to LWN's vulnerability database in 2003. Needless to say, that is far too many - and it does not count all of the problems which were silently fixed without going though a security alert process. As a community, we have to strive to do better in 2004. For all that we believe Linux and free software are more secure, there is no doubt that they are not, yet, secure enough.

The truly worrisome security trend in 2003, however, is the increasing level of attacks on the community's infrastructure. Servers were compromised at the GNU Project (twice) and the Debian Project (multiple servers in one incident). A mirror server for the Gentoo distribution was also broken into. There was also a compromise of the kernel's CVS server and an attempt to insert a trojan horse into the kernel itself. None of these attacks ended up with compromised code being made available to users, but most of them could have been exploited in that way.

Maybe these are all just random attacks (though an attempt to trojan the kernel can only be so random), or maybe somebody is making an attempt to mess with the server structure which holds this community together. Either way, chances are that, eventually, one of these attacks will succeed in causing serious damage, far beyond the service disruptions and lost time we have seen so far. The real lesson from 2003 is that there really are people out there with evil intent, and they are looking our way.

(Log in to post comments)

Linux security in 2003

Posted Mar 3, 2006 17:55 UTC (Fri) by overgroove (guest, #36266) [Link]

Who are you?

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds