On 02/19/2015 12:25 AM, Michael Gilbert wrote: > On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: >> On this machine, it found 472 vulnerabilities. Quite a few of them fit >> into the remotely exploitable, high urgency category. Many date back to >> last year, some as far back as 2012. I've included a few examples at >> the end. > > I'm not sure what your approach to counting is, but if it is simply > "debsecan | wc -l" then you are sorely over-counting, not to mention > that vulnerability counting itself is a road to madness: > https://www.blackhat.com/us-13/briefings.html#Martin
Indeed, I understand that. I perhaps used imprecise language. "472 *REPORTED* vulnerabilities" then. However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive? Whether there were 472 or 100 issues on my particular machine is somewhat beside the point. At the moment, I am not really sure what the answer is. Perhaps none of those issues are unpatched vulnerabilities. However, debsecan is a very useful concept, but if it sends me an email every day listing 472 things that I do not need to pay attention to, then the utility of the tool is *completely* ruined. Not to mention, we have misleading information in the security tracker. Several of the things we've discussed people are saying are not really issues in wheezy. Perhaps there are even comments in the security-tracker to that effect. But the security-tracker lists wheezy as vulnerable on the webpage and the database behind it. Either the comments are wrong or the database is. So some of this may just be a policy issue of "what do we put in the database?" Maybe we need a field saying "vulnerability exists in source but is not exploitable in binaries as shipped" or something. >> Now, it is possible with some of these that the security-tracker >> database ought to be updated to reflect that there is not a true >> vulnerability. However, many of them seem to be existing issues that >> just got forgotten somehow. I've traced a few through bug reports and such. > > If you follow the secure-testing-commits list for a day, you'll see > the herculean effort the security team puts in to keeping up with the > constant deluge of new and ongoing security issues: > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits > > So to suggest that not enough is being done is disingenuous and insulting. Whoa, hold on a second there. That doesn't make any sense. I know that it is a tremendous effort to keep up with all this stuff, and I have a tremendous respect and appreciation for everyone that does this. But it is possible that even though everyone is working extremely hard, STILL not enough is being done. It may mean that the team needs more manpower, or better tools, or whatever. I find it very puzzling that you would say that just because people are working very hard, therefore it is insulting to question whether enough is being done, as if whenever someone is working very hard they don't need any more help. You will note that I very carefully made sure to put no blame on anyone in my original message, and also explicitly asked if there are areas where people need help. >> Are we already aware of these issues? > > If it's in the security tracker, then of course it is known. I meant, "are we already aware that debsecan reports hundreds of vulnerabilities on patched systems?" And that this does not appear to be a bug in debsecan. >> Do we have plans to fix them? > > Of course everything is intended to be fixed, but without a sufficient > number of interested volunteers doing that, how is it supposed to > happen? OK, > >> Do we know what would be helpful to fix them? > > More volunteers actually doing the hard and constant day to day work > that is security upkeep. Fewer distracting and obviously > ill-researched blog and mailing list posts would also be nice. You know, Mike, *explicit* in my original email was a question of what help is needed. I was willing to pitch in and help. I may still be. But how else is someone going to learn that when security-tracker says "vulnerable", in hundreds of instances, that may be wrong, other than by asking? I didn't find this documented anywhere. To be insulting to someone that asked a polite question about "why does debsecan show hundreds of vulnerabilities on an up-to-date system" -- a GOOD question -- is frankly astonishing. Rather than insulting those that might jump in to help, you might send links to information on how to pitch in and be of assistance. Frankly if the security team is going to be this prickly, the costs of dealing with personalities will eat up too much of my time and drain the satisfaction out of doing something useful for me. John -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
