Re: Should we be alarmed at our state of security support?
On Fri, 2015-02-20 at 10:26 -0600, John Goerzen wrote: Quite. But that is a freeform text field. I'm just suggesting we move/add it to the database so it is useable by automatic tools like debsecan and visible to people that are using the tracker. Does that sound doable? I would be willing to pitch in and help convert no dsa comments to use the new db field option too. It actually isn't free-form text. The NOTE: lines are free-form text but the no-dsa is part of the status field, which is a defined set of values, including a version number it was fixed in or some other status values. You may want to read through these pages: https://security-tracker.debian.org/tracker/data/report http://security-team.debian.org/security_tracker.html PS: no need to CC subscribers on Debian lists. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Re: Should we be alarmed at our state of security support?
John Goerzen wrote: You know, Mike, *explicit* in my original email was a question of what help is needed. I was willing to pitch in and help. I may still be. If your goal is to help, then that's really cool. But how else is someone going to learn that when security-tracker says vulnerable, in hundreds of instances, that may be wrong, other than by asking? By spending the requisite time to get familiar with the thing you're about to criticize before sounding of a premature alarm. To be insulting to someone that asked a polite question about why does debsecan show hundreds of vulnerabilities on an up-to-date system -- a GOOD question -- is frankly astonishing. The sensationalism was the insult. If the subject had been more unsensationalized like, how can I help? then I would not have pressed you with such a critical tone. In fact Alessandro Ghedini asked just that a few weeks ago, which started a productive conversation, and within that short time, he is already editing the tracker, preparing security updates, and releasing DSAs. If you want to improve the current state, then that's awesome, but you need to be willing to volunteer time, learning, and effort to make it happen. Criticism without action is bound to be counter-productive. Rather than insulting those that might jump in to help, you might send links to information on how to pitch in and be of assistance. Frankly if the security team is going to be this prickly, the costs of dealing with personalities will eat up too much of my time and drain the satisfaction out of doing something useful for me. Here are some links to get you started: https://security-tracker.debian.org/tracker/ http://security-team.debian.org/security_tracker.html If the documentation isn't clear about any particular concern of yours, then please feel free to improve it or ask questions, and we can provide answers that can be used to improve it. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MO_RTnJ3wrg-s4d0NWyOaGxmSvP9S=km+ceqkforqp...@mail.gmail.com
Re: Should we be alarmed at our state of security support?
On 02/19/2015 05:31 PM, Paul Wise wrote: On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote: Right now, the security tracker has, apparently, three status for each version of Debian: not vulnerable vulnerable fixed What if we add a fourth: not worth fixing This could more clearly communicate what is being said by the no DSA comments, as well as allow debsecan to be improved with this sort of information. What do you think? no DSA means will probably not be fixed via security.debian.org or will only be fixed via a point release by the maintainer or anyone who cares, not not worth fixing. Quite. But that is a freeform text field. I'm just suggesting we move/add it to the database so it is useable by automatic tools like debsecan and visible to people that are using the tracker. Does that sound doable? I would be willing to pitch in and help convert no dsa comments to use the new db field option too. John -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e76039.5060...@complete.org
Re: Should we be alarmed at our state of security support?
On 02/19/2015 12:25 AM, Michael Gilbert wrote: On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: On this machine, it found 472 vulnerabilities. Quite a few of them fit into the remotely exploitable, high urgency category. Many date back to last year, some as far back as 2012. I've included a few examples at the end. I'm not sure what your approach to counting is, but if it is simply debsecan | wc -l then you are sorely over-counting, not to mention that vulnerability counting itself is a road to madness: https://www.blackhat.com/us-13/briefings.html#Martin Indeed, I understand that. I perhaps used imprecise language. 472 *REPORTED* vulnerabilities then. However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive? Whether there were 472 or 100 issues on my particular machine is somewhat beside the point. At the moment, I am not really sure what the answer is. Perhaps none of those issues are unpatched vulnerabilities. However, debsecan is a very useful concept, but if it sends me an email every day listing 472 things that I do not need to pay attention to, then the utility of the tool is *completely* ruined. Not to mention, we have misleading information in the security tracker. Several of the things we've discussed people are saying are not really issues in wheezy. Perhaps there are even comments in the security-tracker to that effect. But the security-tracker lists wheezy as vulnerable on the webpage and the database behind it. Either the comments are wrong or the database is. So some of this may just be a policy issue of what do we put in the database? Maybe we need a field saying vulnerability exists in source but is not exploitable in binaries as shipped or something. Now, it is possible with some of these that the security-tracker database ought to be updated to reflect that there is not a true vulnerability. However, many of them seem to be existing issues that just got forgotten somehow. I've traced a few through bug reports and such. If you follow the secure-testing-commits list for a day, you'll see the herculean effort the security team puts in to keeping up with the constant deluge of new and ongoing security issues: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits So to suggest that not enough is being done is disingenuous and insulting. Whoa, hold on a second there. That doesn't make any sense. I know that it is a tremendous effort to keep up with all this stuff, and I have a tremendous respect and appreciation for everyone that does this. But it is possible that even though everyone is working extremely hard, STILL not enough is being done. It may mean that the team needs more manpower, or better tools, or whatever. I find it very puzzling that you would say that just because people are working very hard, therefore it is insulting to question whether enough is being done, as if whenever someone is working very hard they don't need any more help. You will note that I very carefully made sure to put no blame on anyone in my original message, and also explicitly asked if there are areas where people need help. Are we already aware of these issues? If it's in the security tracker, then of course it is known. I meant, are we already aware that debsecan reports hundreds of vulnerabilities on patched systems? And that this does not appear to be a bug in debsecan. Do we have plans to fix them? Of course everything is intended to be fixed, but without a sufficient number of interested volunteers doing that, how is it supposed to happen? OK, Do we know what would be helpful to fix them? More volunteers actually doing the hard and constant day to day work that is security upkeep. Fewer distracting and obviously ill-researched blog and mailing list posts would also be nice. You know, Mike, *explicit* in my original email was a question of what help is needed. I was willing to pitch in and help. I may still be. But how else is someone going to learn that when security-tracker says vulnerable, in hundreds of instances, that may be wrong, other than by asking? I didn't find this documented anywhere. To be insulting to someone that asked a polite question about why does debsecan show hundreds of vulnerabilities on an up-to-date system -- a GOOD question -- is frankly astonishing. Rather than insulting those that might jump in to help, you might send links to information on how to pitch in and be of assistance. Frankly if the security team is going to be this prickly, the costs of dealing with personalities will eat up too much of my time and drain the satisfaction out of doing something useful for me. John -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e5e539.2010...@complete.org
Re: Should we be alarmed at our state of security support?
On Thu, February 19, 2015 14:29, John Goerzen wrote: But how else is someone going to learn that when security-tracker says vulnerable, in hundreds of instances, that may be wrong, other than by asking? I didn't find this documented anywhere. I think where your misunderstanding originates is that vulnerable is not the black-and-white concept you seem to assume it to be. You actually need to read the issue to understand what vulnerable means in the very specific context of that issue. See the security tracker as a bug tracker. Debian has thousands of open bugs in the BTS but is still not a broken system. This is because not every bug renders Debian unusable; similarly far from every unpatched CVE makes your Debian system insecure. That's why there's already nuances in there like no-dsa. Also you should realise that the security tracker is primarily a tool aimed at people working on security in Debian. It would be nice if it would be more suited for end user consumption as well so it confuses a regular user less over what vulnerable can and cannot mean, and steps have been made in that direction. Contributions to improve on to how we display issues that would come closer to this goal without harming the security team's work are most certainly welcome. Nonetheless, there's quite some challenges in this that you'd need to tackle. For one, a desktop system A has a completely different threat model than server system B, than server system C, and than server system D. I'm really not sure how we could ever represent that nuance; in the end you'd still need to read the issue and judge how it affects your very specific setup. But your ideas for improvement are certainly welcome. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/aa6fedf82fca2b1094763a089cd70014.squir...@aphrodite.kinkhorst.nl
Re: Should we be alarmed at our state of security support?
On 02/19/2015 08:24 AM, Michael Stone wrote: On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote: However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive? Yes. Every system (not just debian) has unpatched vulnerabilities. In some cases those vulnerabilities are known, and in some cases those vulnerabilities are unknown. Fixing all of the vulnerabilities in general purpose software is effectively impossible. So the real question is, are there unfixed vulnerabilities worth fixing? The answer to that depends on the level of risk one is willing to take, and may include patching only vulnerabilities that are likely to be exploited, applying all potentially security-related patches, or intensively auditing the code and trying to fix all vulnerabilities. The question is made more difficult by the fact that applying patches can introduce new vulnerabilities--so fixing all low-risk vulnerabilities could potentially make things worse rather than better. So, let's put aside the vulnerabilities that are unknown for the purposes of this discussion. Right now, the security tracker has, apparently, three status for each version of Debian: not vulnerable vulnerable fixed What if we add a fourth: not worth fixing This could more clearly communicate what is being said by the no DSA comments, as well as allow debsecan to be improved with this sort of information. What do you think? There are no good answers, and the better answers all require a great deal of effort. Debian may be able to do a better job of communicating why certain bugs are prioritized over others, but what really should matter to you is whether the assumptions used to prioritize each bug are valid for your particular environment. (That is, you need to review each bug at length.) For most people that level of effort isn't justified, and they are content to accept whatever is prioritized by their vendor. If there are specific cases where you think that the debian made the wrong call, it's reasonable to bring those up for discussion--people do make mistakes. But do understand that we will never get to zero bugs. Understood. I am just looking, then, for the security-tracker to reflect this reality in a way that can be automatically understood by tools like debsecan and more clearly communicated to users. John Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e611f4.3060...@complete.org
Re: Should we be alarmed at our state of security support?
On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote: However, part of what I was trying to figure out here is: do we have a lot of unpatched vulnerabilities in our archive? Yes. Every system (not just debian) has unpatched vulnerabilities. In some cases those vulnerabilities are known, and in some cases those vulnerabilities are unknown. Fixing all of the vulnerabilities in general purpose software is effectively impossible. So the real question is, are there unfixed vulnerabilities worth fixing? The answer to that depends on the level of risk one is willing to take, and may include patching only vulnerabilities that are likely to be exploited, applying all potentially security-related patches, or intensively auditing the code and trying to fix all vulnerabilities. The question is made more difficult by the fact that applying patches can introduce new vulnerabilities--so fixing all low-risk vulnerabilities could potentially make things worse rather than better. There are no good answers, and the better answers all require a great deal of effort. Debian may be able to do a better job of communicating why certain bugs are prioritized over others, but what really should matter to you is whether the assumptions used to prioritize each bug are valid for your particular environment. (That is, you need to review each bug at length.) For most people that level of effort isn't justified, and they are content to accept whatever is prioritized by their vendor. If there are specific cases where you think that the debian made the wrong call, it's reasonable to bring those up for discussion--people do make mistakes. But do understand that we will never get to zero bugs. Mike Stone -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/a6179694-b841-11e4-8442-00163eeb5...@msgid.mathom.us
Re: Should we be alarmed at our state of security support?
On Fri, Feb 20, 2015 at 12:40 AM, John Goerzen wrote: Right now, the security tracker has, apparently, three status for each version of Debian: not vulnerable vulnerable fixed What if we add a fourth: not worth fixing This could more clearly communicate what is being said by the no DSA comments, as well as allow debsecan to be improved with this sort of information. What do you think? no DSA means will probably not be fixed via security.debian.org or will only be fixed via a point release by the maintainer or anyone who cares, not not worth fixing. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6EiKdMV=kzwaqwxcr2qvpaz8_lwy-dnepgsjx6l1vu...@mail.gmail.com
Re: Should we be alarmed at our state of security support?
On 02/18/2015 08:44 AM, Thijs Kinkhorst wrote: Yes, we know about those issues. That's why debsecan reports them to you in the first place. A good place to learn more about an issue is to actually follow the links you pasted at the bottom of your email. There you can e.g. see a motivation for why libtiff4 is not that urgent to fix, similar for php5 and the useful note that clamav will be fixed through wheezy-updates and not wheezy-security (it's currently in the srm queue). If you are alarmed by the output of debsecan, it may be because the tool lacks the nuance that is represented in the tracker and does not expose the information above. Of the many issues coming in every day, there's many shades of impact and priority. Perhaps what we need then is for more nuance in the tracker? For instance, https://security-tracker.debian.org/tracker/TEMP-000-244FCB says php5 is vulnerable; however, the security impact is unimportant. But under Status, it just says vulnerable. Well, is it vulnerable to a real issue or not? It seems to me they are saying it is not vulnerable to a /security/ issue. Should that status then be not vulnerable or perhaps even some other status? Regarding the python2.6 one you were saying wasn't a big deal -- there's a proof of concept exploit for it https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Why would the tracker say that such a thing wasn't important enough to fix? John
Re: Should we be alarmed at our state of security support?
* John Goerzen: Regarding the python2.6 one you were saying wasn't a big deal -- there's a proof of concept exploit for it https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Why would the tracker say that such a thing wasn't important enough to fix? You need an application which uses recvfrom_into (I don't think we ship any), and that application must handle the buffer size incorrectly (i.e., it would generate an exception with the fixed Python version). This is why it's not so critical after all. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/873862n9pu@mid.deneb.enyo.de
Re: Should we be alarmed at our state of security support?
On Wed, Feb 18, 2015 at 9:11 AM, John Goerzen wrote: On this machine, it found 472 vulnerabilities. Quite a few of them fit into the remotely exploitable, high urgency category. Many date back to last year, some as far back as 2012. I've included a few examples at the end. I'm not sure what your approach to counting is, but if it is simply debsecan | wc -l then you are sorely over-counting, not to mention that vulnerability counting itself is a road to madness: https://www.blackhat.com/us-13/briefings.html#Martin On the over-counting topic, since security issues are tracked by source package, debsecan can show up to 7 different binary packages or more affected by the same CVE (for example util-linux, krb5). Also, if you've set up multi-arch, debsecan will show the same CVE separately for i386 and amd64 (that's a bug by the way). Now, it is possible with some of these that the security-tracker database ought to be updated to reflect that there is not a true vulnerability. However, many of them seem to be existing issues that just got forgotten somehow. I've traced a few through bug reports and such. If you follow the secure-testing-commits list for a day, you'll see the herculean effort the security team puts in to keeping up with the constant deluge of new and ongoing security issues: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits So to suggest that not enough is being done is disingenuous and insulting. Are we already aware of these issues? If it's in the security tracker, then of course it is known. Do we have plans to fix them? Of course everything is intended to be fixed, but without a sufficient number of interested volunteers doing that, how is it supposed to happen? Do we know what would be helpful to fix them? More volunteers actually doing the hard and constant day to day work that is security upkeep. Fewer distracting and obviously ill-researched blog and mailing list posts would also be nice. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=mothu8uhqcw75agy110sxm8c5jjpeznbesugsmytqu...@mail.gmail.com
Re: Should we be alarmed at our state of security support?
2015-02-18 15:11 GMT+01:00 John Goerzen jgoer...@complete.org: Hi folks, So I recently downloaded and installed debsecan on several of my machines. These are all fully up-to-date machines, running either wheezy or jessie. For now I'll just focus on wheezy since it's where our security focus should go. On this machine, it found 472 vulnerabilities. Quite a few of them fit into the remotely exploitable, high urgency category. Many date back to last year, some as far back as 2012. I've included a few examples at the end. no panic! take a look ;) http://www.enyo.de/fw/software/debsecan/ Now, it is possible with some of these that the security-tracker database ought to be updated to reflect that there is not a true vulnerability. However, many of them seem to be existing issues that just got forgotten somehow. I've traced a few through bug reports and such. I wonder: Are we already aware of these issues? Do we have plans to fix them? Do we know what would be helpful to fix them? Thanks, John bye, gionni
Re: Should we be alarmed at our state of security support?
Hi John, On Wed, February 18, 2015 15:11, John Goerzen wrote: Hi folks, So I recently downloaded and installed debsecan on several of my machines. These are all fully up-to-date machines, running either wheezy or jessie. For now I'll just focus on wheezy since it's where our security focus should go. On this machine, it found 472 vulnerabilities. Quite a few of them fit into the remotely exploitable, high urgency category. Many date back to last year, some as far back as 2012. I've included a few examples at the end. Now, it is possible with some of these that the security-tracker database ought to be updated to reflect that there is not a true vulnerability. However, many of them seem to be existing issues that just got forgotten somehow. I've traced a few through bug reports and such. I wonder: Are we already aware of these issues? Do we have plans to fix them? Do we know what would be helpful to fix them? Yes, we know about those issues. That's why debsecan reports them to you in the first place. A good place to learn more about an issue is to actually follow the links you pasted at the bottom of your email. There you can e.g. see a motivation for why libtiff4 is not that urgent to fix, similar for php5 and the useful note that clamav will be fixed through wheezy-updates and not wheezy-security (it's currently in the srm queue). If you are alarmed by the output of debsecan, it may be because the tool lacks the nuance that is represented in the tracker and does not expose the information above. Of the many issues coming in every day, there's many shades of impact and priority. A good start to direct your efforts may be to enhance debsecan to be more precise in what it presents. Another improvement could be to reconsider how informative the NVD severity actually is in practice or whether we should avoid displaying it. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/31c7abb9d4b4dca916c455ecadbed574.squir...@aphrodite.kinkhorst.nl
Re: Should we be alarmed at our state of security support?
On Wed, February 18, 2015 15:44, Thijs Kinkhorst wrote: you can e.g. see a motivation for why libtiff4 is not that urgent to fix, similar for php5 and the useful note that clamav will be fixed through Where I said php5 I meant python2.6 (all these interpreters are the same to me...) Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/109b701358a7b6c17a8a8691fb2abb98.squir...@aphrodite.kinkhorst.nl