On Tue, Mar 23, 2004 at 11:43:37AM +1030, Paul Shirren wrote: > Perhaps Anthony Towns would like to comment on this line from the article: > "For example, Debian (Debian GNU/Linux) has left vulnerabilities there > and didn't release any patches for them." Not really; it's certainly true in some cases -- we don't do security support for unreleased distributions (testing, unstable or experimental), so there are definitely vulnerabilities left in some of those packages; and I'm sure in some cases those packages get dropped rather than patched. There seem to be a bunch of problems in the bug tracking system that are listed as security issues related to the current stable release; I had a quick chat with a couple of the security team members and most of those reports do seem to be misfiled, although a couple do need further investigation, and an ecartis bug (which has since had an advisory released) was indeed dropped on the floor. The bugs reported as potential security issues for the current stable release can currently be found at: http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=security&include=woody Certainly leaving things unpatched isn't our standard procedure -- the thirteen bugs listed there over a period of about a year, compare to 185 security updates issued in 2003. By comparison, Microsoft issued 51 updates in 2003, according to http://www.microsoft.com/technet/security/CurrentDL.aspx, although a fair number of those were "cumulative updates". I've written to Mr Krasovitsky to see if we can find out some more details to work out if there are more problems that need fixing. > Is it just me or did it take months for Microsoft to release a fix for > the ASN.1 vulnerability. I looked it up at the time and I think the > dates for fixes were something like: > Free BSD: 3 October 2003 > Debian GNU/Linux: 11 October 2003 > Microsoft: February 10, 2004? There's DSA 393-1, which was a remote DoS bug in openssl which is listed as being reported/fixed on 2003/10/01, apparently. The CVE ids for that vulnerability were CAN-2003-0543 and CAN-2003-0544. The ASN.1 parsing vulnerability is listed as being reported on 2003/10/11, and fixed on Oct 11, and the CVE refs are the above two and CAN-2003-0545. The three CVE reports list full disclosure as occurring on 2003/09/29. The Red Hat advisory was issued on 2003-09-30, and the last modified date of the updated files roughly agrees with that. http://www.eeye.com/html/Research/Advisories/AD20040210.html seems to indicate the bug was reported to Microsoft on 2003/07/25, and fixed 2004/02/10. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. Linux.conf.au 2004 -- Because we could. http://conf.linux.org.au/ -- Jan 12-17, 2004
Attachment:
signature.asc
Description: Digital signature