Security updates for Linux distros

From: Robert Glueck (rglk_at_web.de)
Date: 04/27/05


Date: Wed, 27 Apr 2005 13:41:44 -0400

I recently posted a query here about the absence of security updates for
Xandros OS. Thanks to all who responded.

The last security update for Xandros Desktop OS v.2.0.1 (a "general
security update") was issued nine months ago. Since then Debian, on
which Xandros is based, has released 179 security advisories (DSA-535 to
DSA-714). This includes the following packages most of which are
commonly used system files and which are part of the default install of
Xandros Desktop:

libpng (*536), kdelibs (539), qt (*542), gtk+ (*549), imlib (*548),
imlib2 (*549), xfree86 (561), sox (*565), libpng (*570), iptables (580),
gzip (588), openssl (603), xfree86 (*607), htget (*611), imlib (*618),
cupsys (*621), zip (*624), imlib2 (*628), exim (*635), glibc (*636),
cupsys (*645), xine-lib (*657), kdelibs (*714)

For details see http://www.debian.org/security/2004/ and
http://www.debian.org/security/2005/.

I have flagged packages (*) that appear to have fairly serious security
vulnerabilities (i.e. vulnerabilities that according to the DSA "may be
utilised by an attacker to execute arbitrary code on the victim's
machine"). The numbers in brackets are the DSA numbers (DSA = Debian
Security Advisory). In most cases, the DSA states "We recommend that
you upgrade your xxxxx package", in a few cases it adds "immediately"
(e.g. DSA-607 xfree86 xlibs package).

Debian has supplied fixes for all of these for the woody distribution.
  Fixes are also available for many of them for the sid distribution or
else, as Debian states, "the problem will be fixed soon". Strangely,
for the sarge versions of these packages no patches appear to be available.

These packages are part of the base install of practically every Linux
distribution. What has been the action of the vendor/developer of your
distribution with regard to these vulnerabilities (did they post alerts
and fixes?) and what did you decide to do? Can one simply shrug off
these alerts as being inconsequential for a desktop machine configured
in a standard way, as Xandros appears to have done, or is there cause
for concern and action?

I'm running Xandros 2.0.1 as a desktop OS; no servers are enabled nor is
Windows file sharing. I have a broadband connection to the Internet
(computer > NAT router > cable modem > ISP). An iptables firewall
(configured with Firestarter 0.92) is installed on my system, with
Firestarter's default settings (DHCP, access to all services disabled,
ToS filtering and ICMP filtering disabled); the firewall is enabled at
bootup.

Thanks for your help.

Robert



Relevant Pages

  • Re: Why no security updates for Linux?
    ... and during that time Xandros has issued only one "general ... >since that time security vulnerabilities and bugs must have been ... >software that make up the Xandros Standard distribution that would ... Yes, there should be updates, quite ...
    (comp.os.linux.security)
  • Re: updated debian development diagram -- comments?
    ... >> updates in unstable aren't done at high priority. ... Just because security updates in unstable are ... "The code name for Debian's development distribution is "sid", ... Misinterpreted the flow of some packages due to ...
    (Debian-User)
  • Re: Secure OSs
    ... > I guess what I mean by a secure os is an os whose packages themselves ... > doesn't matter how secure the packages are. ... > set up a server keeping security as a priority, ... Just because a software application has been packaged in a distribution ...
    (Debian-User)
  • [Full-Disclosure] [RHSA-2003:064-01] Updated XFree86 4.1.0 packages are available
    ... security vulnerabilities have been found and fixed. ... other bug fixes, driver updates, and other enhancements have been made. ... Xterm, provided as part of the XFree86 packages, provides an escape ... Please note that this update is also available via Red Hat Network. ...
    (Full-Disclosure)
  • [Full-disclosure] [ MDVSA-2009:311 ] ghostscript
    ... Multiple security vulnerabilities has been identified and fixed ... A buffer underflow in Ghostscript's CCITTFax decoding filter allows ... Multiple interger overflows in Ghostsript's International Color ... Previousely the ghostscript packages were statically built against ...
    (Full-Disclosure)