[Linux-aus] Now tell the rest of the story...

Anthony Towns aj at azure.humbug.org.au
Fri Mar 26 10:08:01 UTC 2004


On Tue, Mar 23, 2004 at 11:43:37AM +1030, Paul Shirren wrote:
> Perhaps Anthony Towns would like to comment on this line from the article:
> "For example, Debian (Debian GNU/Linux) has left vulnerabilities there
> and didn't release any patches for them."

Not really; it's certainly true in some cases -- we don't do security
support for unreleased distributions (testing, unstable or experimental),
so there are definitely vulnerabilities left in some of those packages;
and I'm sure in some cases those packages get dropped rather than patched.

There seem to be a bunch of problems in the bug tracking system that
are listed as security issues related to the current stable release; I
had a quick chat with a couple of the security team members and most of
those reports do seem to be misfiled, although a couple do need further
investigation, and an ecartis bug (which has since had an advisory
released) was indeed dropped on the floor. The bugs reported as potential
security issues for the current stable release can currently be found at:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&include=woody

Certainly leaving things unpatched isn't our standard procedure --
the thirteen bugs listed there over a period of about a year, compare
to 185 security updates issued in 2003.

By comparison, Microsoft issued 51 updates in 2003, according to
http://www.microsoft.com/technet/security/CurrentDL.aspx, although a fair
number of those were "cumulative updates".

I've written to Mr Krasovitsky to see if we can find out some more details
to work out if there are more problems that need fixing.

> Is it just me or did it take months for Microsoft to release a fix for
> the ASN.1 vulnerability. I looked it up at the time and I think the
> dates for fixes were something like:
> Free BSD: 3 October 2003
> Debian GNU/Linux: 11 October 2003
> Microsoft: February 10, 2004?

There's DSA 393-1, which was a remote DoS bug in openssl which is
listed as being reported/fixed on 2003/10/01, apparently. The CVE ids for
that vulnerability were CAN-2003-0543 and CAN-2003-0544.

The ASN.1 parsing vulnerability is listed as being reported on 2003/10/11,
and fixed on Oct 11, and the CVE refs are the above two and CAN-2003-0545.

The three CVE reports list full disclosure as occurring on 2003/09/29. The
Red Hat advisory was issued on 2003-09-30, and the last modified date
of the updated files roughly agrees with that.

http://www.eeye.com/html/Research/Advisories/AD20040210.html seems to
indicate the bug was reported to Microsoft on 2003/07/25, and fixed
2004/02/10.

Cheers,
aj

-- 
Anthony Towns <aj at humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

             Linux.conf.au 2004 -- Because we could.
           http://conf.linux.org.au/ -- Jan 12-17, 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
Url : http://lists.linux.org.au/pipermail/linux-aus/attachments/20040326/8a8f4000/attachment-0001.pgp 


More information about the linux-aus mailing list