Security updates for Linux distros

From: Robert Glueck (rglk_at_web.de)
Date: 04/27/05


Date: Wed, 27 Apr 2005 13:41:44 -0400

I recently posted a query here about the absence of security updates for
Xandros OS. Thanks to all who responded.

The last security update for Xandros Desktop OS v.2.0.1 (a "general
security update") was issued nine months ago. Since then Debian, on
which Xandros is based, has released 179 security advisories (DSA-535 to
DSA-714). This includes the following packages most of which are
commonly used system files and which are part of the default install of
Xandros Desktop:

libpng (*536), kdelibs (539), qt (*542), gtk+ (*549), imlib (*548),
imlib2 (*549), xfree86 (561), sox (*565), libpng (*570), iptables (580),
gzip (588), openssl (603), xfree86 (*607), htget (*611), imlib (*618),
cupsys (*621), zip (*624), imlib2 (*628), exim (*635), glibc (*636),
cupsys (*645), xine-lib (*657), kdelibs (*714)

For details see http://www.debian.org/security/2004/ and
http://www.debian.org/security/2005/.

I have flagged packages (*) that appear to have fairly serious security
vulnerabilities (i.e. vulnerabilities that according to the DSA "may be
utilised by an attacker to execute arbitrary code on the victim's
machine"). The numbers in brackets are the DSA numbers (DSA = Debian
Security Advisory). In most cases, the DSA states "We recommend that
you upgrade your xxxxx package", in a few cases it adds "immediately"
(e.g. DSA-607 xfree86 xlibs package).

Debian has supplied fixes for all of these for the woody distribution.
  Fixes are also available for many of them for the sid distribution or
else, as Debian states, "the problem will be fixed soon". Strangely,
for the sarge versions of these packages no patches appear to be available.

These packages are part of the base install of practically every Linux
distribution. What has been the action of the vendor/developer of your
distribution with regard to these vulnerabilities (did they post alerts
and fixes?) and what did you decide to do? Can one simply shrug off
these alerts as being inconsequential for a desktop machine configured
in a standard way, as Xandros appears to have done, or is there cause
for concern and action?

I'm running Xandros 2.0.1 as a desktop OS; no servers are enabled nor is
Windows file sharing. I have a broadband connection to the Internet
(computer > NAT router > cable modem > ISP). An iptables firewall
(configured with Firestarter 0.92) is installed on my system, with
Firestarter's default settings (DHCP, access to all services disabled,
ToS filtering and ICMP filtering disabled); the firewall is enabled at
bootup.

Thanks for your help.

Robert