* Martin Zobel-Helas:> one should mention this is only about open availible security bugs for > stable.Sorry, I don''t undertand what you are trying to say. Perhaps you mean weeding out packages which are incorrectly listed as vulnerable?
* Moritz Muehlenhoff:> Before bringing this to a wider audience more false positives and > non-issues should be weeded out (or at least document it very > clearly that most are theoretical issues, that do not affect your > system''s security in a real-world situation, e.g. by setting the > display default to >= medium).This approach has a certain "because it''s devastating to my case" aspect. I don''t really like pampering over these issues for PR reasons. If DDs can''t be bothered to fix minor security issues, we should be open about it.> E.g. the first four entries in the list of "vulnerabilities w/o > updates" for my notebook are all more or less moot:Sure, I should add an urgency filter. But this is not a real substitute for fixing bugs.
Hi Florian, On Wednesday, 18 Jan 2006, you wrote:> Hi, > > I intend to send a real debsecan announcement to debian-devel and > debian-security. A draft is included below. Comments are > appreciated. >> The underlying vulnerability database is maintained by the Debian > testing security team: <http://secure-testing-master.debian.net/> > Despite its name, the database is up-to-date with respect to unstable > as well, and thanks to the efforts of the testing security team, > coverage of stable is getting better and better.one should mention this is only about open availible security bugs for stable.
Florian Weimer wrote:> I intend to send a real debsecan announcement to debian-devel and > debian-security. A draft is included below. Comments are > appreciated.Before bringing this to a wider audience more false positives and non-issues should be weeded out (or at least document it very clearly that most are theoretical issues, that do not affect your system''s security in a real-world situation, e.g. by setting the display default to >= medium). E.g. the first four entries in the list of "vulnerabilities w/o updates" for my notebook are all more or less moot: CVE-2004-0175 Directory traversal vulnerability in scp for OpenSSH... <http://idssi.enyo.de/tracker/CVE-2004-0175> - ssh, openssh-server, openssh-client (remotely exploitable) CVE-2004-1617 Lynx allows remote attackers to cause a denial of... <http://idssi.enyo.de/tracker/CVE-2004-1617> - lynx (remotely exploitable, low urgency) CVE-2004-2531 X.509 Certificate Signature Verification in Gnu... <http://idssi.enyo.de/tracker/CVE-2004-2531> - libgnutls11 (remotely exploitable, low urgency) CVE-2005-0406 A design flaw in image processing software that... <http://idssi.enyo.de/tracker/CVE-2005-0406> - libmagick9, imagemagick (low urgency) Cheers, Moritz
On Wed, Jan 18, 2006 at 07:12:10PM +0100, Florian Weimer wrote:> Hi, > > I intend to send a real debsecan announcement to debian-devel and > debian-security. A draft is included below. Comments are > appreciated. >Nah, you should send it to debian-devel-announce with a subject of "For those who care about security" Neil :) -- __ .` `. neilm@debian.org | Application Manager : :'' ! ---------------- | Secure-Testing Team member ''. `- gpg: B345BDD3 | Webapps Team member `- Please don''t cc, I''m subscribed to the list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060119/9455eb7e/attachment.pgp
Florian Weimer wrote:> > Before bringing this to a wider audience more false positives and > > non-issues should be weeded out (or at least document it very > > clearly that most are theoretical issues, that do not affect your > > system''s security in a real-world situation, e.g. by setting the > > display default to >= medium). > > This approach has a certain "because it''s devastating to my case" > aspect. I don''t really like pampering over these issues for PR > reasons. If DDs can''t be bothered to fix minor security issues, we > should be open about it.It''s not about PR, it''s about making it useful; without deeper knowledge about the issues a user cannot judge which really affect her system and it''s just spreading a false sense of vulnerability. I''m absolutelely for tracking real security problems openly, but please do it reasonably, the current web overview is already too cluttered. Plus, no one stops you from bugging sloppy maintainers with the list we already have, just do it.> > E.g. the first four entries in the list of "vulnerabilities w/o > > updates" for my notebook are all more or less moot: > > Sure, I should add an urgency filter. But this is not a real > substitute for fixing bugs.Then you should better spend your time on fixing them. We have a 0-day NMU policy, go ahead. Cheers, Moritz
Hi, I intend to send a real debsecan announcement to debian-devel and debian-security. A draft is included below. Comments are appreciated. Florian To: debian-devel, debian-security Reply-To: debian-security Subject: [ANN] Debian Security Analyzer It is my pleasure to announce the availability of debsecan, the Debian Security Analyzer. debsecan is a tool which generates a list of vulnerabilities which affect a particular Debian installation. The program runs on the host which is to be checked, and downloads vulnerability information over the Internet. It can send mail to interested parties when new vulnerabilities relevant to a particular Debian host are discovered, or when security updates become available. The underlying vulnerability database is maintained by the Debian testing security team: <http://secure-testing-master.debian.net/> Despite its name, the database is up-to-date with respect to unstable as well, and thanks to the efforts of the testing security team, coverage of stable is getting better and better. debsecan is available as a Debian package, or directly from this web site: <http://www.enyo.de/fw/software/debsecan/> It is designed to work as a stand-alone script, with no dependencies besides Python 2.3 or later. One caveat: Vulnerability information for kernels which are not based on the linux-2.6 package in testing or unstable is still very incomplete. The linux-2.6 package should be covered fairly well, though.