User: Password:
Subscribe / Log in / New account


Security response: how are we doing?

By Jonathan Corbet
November 16, 2011
Linux, as a whole, has a pretty good security record. But software has bugs, and some of those are security-related bugs, so there will always be a need for security fixes. When a security problem arises, most of us are entirely dependent on our distributors to package those fixes and push them out; the number of users who can learn about security problems and build their own replacement packages is relatively small. Security response is, thus, an important point to consider when choosing a distribution for a specific task.

The following table looks at a number of vulnerabilities that were disclosed, or which prompted the issuance of advisories, in recent months. In each case, the response time for a set of distributions is listed. Before reading this table, though, it is important to understand how the choices were made and what the implications are. In particular:

  • The distributions considered are CentOS 5, Debian stable ("squeeze"), Fedora 15, openSUSE 11.4, Red Hat Enterprise Linux 5, Scientific Linux 5 and Ubuntu 11.04. The idea was to pick a recent release of each that is likely to have a significant number of users. The choice of RHEL 5 (and variants) could easily be questioned, but it is still likely to be in much heavier use than RHEL 6. Given that CentOS is still not issuing updates for CentOS 6, choosing that distribution would have led to an ugly column for CentOS below.

  • The vulnerabilities were chosen in an entirely non-rigorous way with an eye toward those that might pose a real threat.

In the table below, a numeric entry gives the number of days since the initial disclosure, if known, or (most often) the earliest distribution advisory. An entry of "NV" indicates that the distribution was not vulnerable to the indicated problem and, thus, did not need to issue an update. If the entry reads "none," instead, the distribution is vulnerable but has not yet pushed an update.

Vuln C5 Debian F15 openSUSE RH5 SL5 Ubuntu Notes
apache 16 0 17 3 2 2 3
crypt_blowfish 60 80 7 0 59 59 60 Debian only partially fixed
freetype 5 3 20 none 4 4 none
kdelibs 8 none 16 6 8 8 14 No Fedora advisory sent
kernel 43 0 NV none 42 42 34
krb5 NV NV 29 6 NV NV 0
libpng 66 10 0 30 10 10 8
mod_proxy 42 none none 57 42 42 64
openjdk 1 none 2 10 0 1 none
openssl NV NV 0 40 NV NV NV
pam 0 none 1 367 0 none 210
pam NV 0 NV 9 NV NV 0
php 127 0 81 110 126 126 111
quagga none 7 20 20 none none 46
rpm 0 none 2 31 0 0 none Debian/Ubuntu do package RPM
Xorg 15 none NV none 15 15 27 2010 CVE; F14 still vulnerable

Before launching into conclusions, your editor would like to point out that distributors have made it much easier to obtain this type of information in recent years. In many cases, it is possible to go directly to a distribution-specific page or bug-tracker entry for a given CVE number. For the most part, distributors are quite open about their exposure to specific vulnerabilities; that is exactly how it should be.

Ideally, a table like the above should have no "none" entries at all. There was no distributor without unpatched vulnerabilities, but some clearly have more than others. It is, in particular, sad to see so many missing updates in the Debian column. One could argue that, say, a lack of urgency to fix an rpm vulnerability on Debian's part is understandable, but one could also argue that, if the package is not worth fixing, it probably should not be shipped in the first place. Despite being based on Debian, Ubuntu has a more complete set of updates, but the smallest number of missing updates can be found in the Red Hat and Fedora columns; Red Hat continues to be relatively serious about getting fixes out there.

The best way to deal with a vulnerability, of course, is to not be vulnerable to it in the first place. It is interesting to note that the distributions with the most "not vulnerable" entries are the oldest ones (RHEL, Debian stable) and the newest ones. Distributions based on older software get to miss out on more recently introduced bugs, but they also miss the most recent fixes, some of which unknowingly close security holes. There are limits to the conclusions that can be drawn from such a small sample, but there does appear to be a difficult "middle age" for distributions where they are subject to the largest number of known vulnerabilities.

Finally, we still are clearly not doing well enough. There are too many vulnerabilities in the first place, and too many of them sit unfixed for too long. The security situation is not getting any more friendly or forgiving; we cannot afford to sit back and think that the security problem is even close to being solved. A lot has been accomplished in this area, but quite a bit remains to be done.

Comments (11 posted)

Brief items

Security quotes of the week

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT [Advanced Persistent Threat] is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

-- Bruce Schneier

The US will be able to block a site's web traffic, ad traffic and search traffic using the same website censorship methods used by China, Iran and Syria.
-- Mozilla on the "Stop Online Piracy Act" (SOPA)

A while back Homeland Security asked Mozilla to take-down an add-on without a court order or a finding of liability. Under a SOPA regime, it appears the same incident would allow the putative plaintiffs to petition the Attorney General to issue an injunction compelling take-down based only on a specious claim of contributory infringement. Oddly SOPA makes one really appreciate the DMCA.
-- Harvey Anderson, general counsel for Mozilla

We're introducing a method that lets you opt out of having your wireless access point included in the Google Location Server. To opt out, visit your access point's settings and change the wireless network name (or SSID) so that it ends with "_nomap." For example, if your SSID is "Network," you'd need to change it to "Network_nomap."
-- Google adds a privacy option that many access point owners may find challenging to use

Comments (43 posted)

New vulnerabilities

acroread: multiple vulnerabilities

Package(s):acroread CVE #(s):CVE-2011-1353 CVE-2011-2441
Created:November 15, 2011 Updated:November 21, 2011
Description: From the CVE entries:

Unspecified vulnerability in Adobe Reader 10.x before 10.1.1 on Windows allows local users to gain privileges via unknown vectors. (CVE-2011-1353).

Multiple stack-based buffer overflows in CoolType.dll in Adobe Reader and Acrobat 8.x before 8.3.1, 9.x before 9.4.6, and 10.x before 10.1.1 allow attackers to execute arbitrary code via unspecified vectors. (CVE-2011-2441)

Gentoo 201201-19 acroread 2012-01-30
SUSE SUSE-SA:2011:044 acroread 2011-11-16
SUSE SUSE-SU-2011:1239-1 Acrobat Reader 2011-11-15

Comments (none posted)

cacti: SQL injection/cross-site scripting

Package(s):cacti CVE #(s):
Created:November 14, 2011 Updated:November 16, 2011
Description: Cacti version 0.8.7h fixes SQL injection issue with user login and cross-site scripting issues. The Cacti release notes provides few details.
Fedora FEDORA-2011-15071 cacti 2011-10-29
Fedora FEDORA-2011-15110 cacti 2011-10-29
Fedora FEDORA-2011-15032 cacti 2011-10-28

Comments (none posted)

flash-plugin: abandon all hope

Package(s):flash-plugin CVE #(s):CVE-2011-2445 CVE-2011-2450 CVE-2011-2451 CVE-2011-2452 CVE-2011-2453 CVE-2011-2454 CVE-2011-2455 CVE-2011-2456 CVE-2011-2457 CVE-2011-2459 CVE-2011-2460
Created:November 11, 2011 Updated:November 17, 2011

From the Red Hat advisory:

Multiple security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content. (CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2459, CVE-2011-2460)

SUSE   flash-player 2011-11-15
openSUSE openSUSE-SU-2011:1240-2 flash-player 2011-11-16
openSUSE openSUSE-SU-2011:1240-1 flash-player 2011-11-15
Red Hat RHSA-2011:1445-01 flash-plugin 2011-11-11
SUSE SUSE-SU-2011:1244-1 flash-player 2011-11-15

Comments (4 posted)

graphite2: unspecified vulnerabilities

Package(s):graphite2 CVE #(s):
Created:November 14, 2011 Updated:November 16, 2011
Description: From the Mandriva advisory:

Unspecified vulnerabilities were discovered in graphite2 concerning specially crafted TTF fonts and which has unknown impact. As a preemptive measure the new 1.0.3 version is being provided where this is fixed.

Mandriva MDVSA-2011:174 graphite2 2011-11-14

Comments (none posted)

lightdm: privilege escalation

Package(s):lightdm CVE #(s):CVE-2011-3153 CVE-2011-4105
Created:November 15, 2011 Updated:March 13, 2012
Description: From the Ubuntu advisory:

It was discovered that Light Display Manager incorrectly handled privileges when reading .dmrc files. A local attacker could exploit this issue to read arbitrary configuration files, bypassing intended permissions. (CVE-2011-3153)

It was discovered that Light Display Manager incorrectly handled links when adjusting permissions on .Xauthority files. A local attacker could exploit this issue to access arbitrary files, and possibly obtain increased privileges. In the default Ubuntu installation, this would be prevented by the Yama link restrictions. (CVE-2011-4105)

Ubuntu USN-1262-1 lightdm 2011-11-15

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):CVE-2011-3651 CVE-2011-3652 CVE-2011-3654 CVE-2011-3655
Created:November 10, 2011 Updated:July 23, 2012

From the Mandriva advisory:

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2011-3651).

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-3652).

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2011-3654).

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site (CVE-2011-3655).

openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Mageia MGASA-2012-0176 iceape 2012-07-21
openSUSE openSUSE-SU-2012:0567-1 firefox, thunderbird, seamonkey, xulrunner 2012-04-27
openSUSE openSUSE-SU-2011:1290-1 Seamonkey 2011-12-01
Ubuntu USN-1282-1 thunderbird 2011-11-28
Ubuntu USN-1277-2 mozvoikko, ubufox 2011-11-23
Ubuntu USN-1277-1 firefox 2011-11-23
openSUSE openSUSE-SU-2011:1243-1 MozillaFirefox 2011-11-15
SUSE SUSE-SU-2011:1256-2 mozilla-nss 2011-11-21
SUSE SUSE-SU-2011:1256-1 Mozilla Firefox 2011-11-18
Mandriva MDVSA-2011:169 mozilla 2011-11-09

Comments (none posted)

ocsinventory: cross-site scripting

Package(s):ocsinventory CVE #(s):CVE-2011-4024
Created:November 14, 2011 Updated:September 24, 2012
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Mageia MGASA-2012-0275 ocsinventory 2012-09-23
Mandriva MDVSA-2012:053 ocsinventory 2012-04-04
Fedora FEDORA-2011-15007 ocsinventory 2011-10-27
Fedora FEDORA-2011-14963 ocsinventory 2011-10-27

Comments (none posted)

openssl: provides updated library

Package(s):openssl0.9.8 CVE #(s):
Created:November 14, 2011 Updated:November 16, 2011
Description: From the Mandriva advisory:

On Mandriva Linux 2010.2 we provided the old openssl 0.9.8 library but without a source RPM file. This could pose a security risk for third party commercial applications that still uses the older OpenSSL library, therefore the latest stable openssl 0.9.8r library is being provided.

Mandriva MDVSA-2011:173 openssl0.9.8 2011-11-12

Comments (none posted)

proftpd: remote code execution

Package(s):proftpd-dfsg proftpd CVE #(s):CVE-2011-4130
Created:November 16, 2011 Updated:February 13, 2012
Description: ProFTPD suffers from a use-after-free bug that may be exploitable by a remote attacker for arbitrary code execution.
Gentoo 201309-15 proftpd 2013-09-24
Slackware SSA:2012-041-04 proftpd 2012-02-10
Mandriva MDVSA-2011:181 proftpd 2011-12-07
Fedora FEDORA-2011-15741 proftpd 2011-11-11
Fedora FEDORA-2011-15740 proftpd 2011-11-11
Fedora FEDORA-2011-15765 proftpd 2011-11-11
Debian DSA-2346-1 proftpd-dfsg 2011-11-15

Comments (none posted)

python-django-piston: remote code execution

Package(s):python-django-piston CVE #(s):CVE-2011-4103
Created:November 14, 2011 Updated:November 16, 2011
Description: From the Debian advisory:

It was discovered that the Piston framework can deserialize untrusted YAML and Pickle data, leading to remote code execution.

Debian DSA-2344-1 python-django-piston 2011-11-11

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):
Created:November 15, 2011 Updated:November 16, 2011
Description: Wireshark 1.6.3 fixes several security bugs. See the release notes for details.
Fedora FEDORA-2011-15328 wireshark 2011-11-03
Fedora FEDORA-2011-15338 wireshark 2011-11-03
Fedora FEDORA-2011-15290 wireshark 2011-11-02

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds