The full 2003 vulnerability and alerts table [LWN.net]

The ticks indicate fixes, which is why some have 2 ticks as there have been multiple attempts at a fix. If you click on a tick, you'll go the page containing the alert for that distribution.

The full 2003 vulnerability and alerts table

Posted Jan 15, 2004 15:55 UTC (Thu) by PhracturedBlue (subscriber, #4193) [Link]

Good question. I think the answer is 'Yes'. For instance there are no ticks for Debian for apache. In this case, I believe it is because these vulnerabilities are all apache2, and Debian hasn't released a distro with apache2 yet (so there are no packages to fix...testing and sid don't get SA notices). However, it may be that there are other cases where a distro just didn't fix an issue (or didn't release a security alert)

The full 2003 vulnerability and alerts table

Posted Jan 16, 2004 1:06 UTC (Fri) by bignose (subscriber, #40) [Link]

> Interesting. So, do the empty fields mean "this distribution does not have
> this particular vulnerability" or "this distribution didn't do anything
> about this particular vulnerability"?

Neither; an empty field means "this distribution did not issue an alert relating to this vulnerability".

Without an alert, of course, the LWN vulnerability database can't know *why* there's no alert. In each case, it could be one of the reasons you specify, or something else.

The full 2003 vulnerability and alerts table

Posted Jan 16, 2004 1:13 UTC (Fri) by corbet (editor, #1) [Link]

Adding a "not vulnerable" note to the database has been on my list from the beginning. The hacking is easy; actually verifying that a distribution is not vulnerable is hard, and can only be done with a fair amount of people time. If we ever get to where we could invest the time to properly set a "not vulnerable" flag, it will go in.

The full 2003 vulnerability and alerts table

Posted Jan 22, 2004 16:03 UTC (Thu) by drathos (guest, #6454) [Link]

Nope. I can't see any other distribution including susehelp, for example. :)

I also think the reason Fedora was relatively lacking in alerts is because it was not until the fall that it took over the end-user version of Red Hat.

That said, SuSE is quite a large distro as well, but it didn't have near as many alerts as Debian. Also, it seems that Debian tends to have to "fix" problems multiple times a lot (like one of the KDE problems - 10 times!). That is rather disturbing to me..

Also, I'm not sure about the other distros, but SuSE had actually fixed some of the problems well before the security alert was issued. The kernel brk() issue had been fixed in a release in November (and if I remember the changelog correctly, the issue itself had been fixed a month or two before that), yet the issue didn't rear it's ugly head until December.

The full 2003 vulnerability and alerts table

Posted Jan 22, 2004 19:24 UTC (Thu) by razholio (subscriber, #5706) [Link]

>That said, SuSE is quite a large distro as well, but it didn't have near as >many alerts as Debian. Also, it seems that Debian tends to have to "fix" >problems multiple times a lot (like one of the KDE problems - 10 times!). >That is rather disturbing to me..

um, no. Please check the actual alerts. Debian released 10 separate alerts for 10 separate KDE packages all of which resulted from the single alert from KDE. I think you'll find the majority of the cases where debian releases more than one alert for a single upstream alert, result from there being more than one package affected by the upstream alert.

Also note that there have been numerous upstream alerts in the past that did not affect debian specifically because of the way debian packaged that particular app.