Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote: > Hi! > > I am trying to understand if my organization can rely on the debian > security announcement mailing list as only source of security alerts in > the future. > > This would be very convenient- but the delay that seems to have passed > between the original squirrelmail security announcement and the time I > received the alert via [EMAIL PROTECTED] is worrying: > > The Vulnerability seems to have been described a few weeks ago: > http://www.squirrelmail.org/security/issue/2005-06-15 > > The Debian Security Advisory 756-1 is dated July 13th, 2005. > > > I do not want to rude in any way- please try to excuse my way of putting > things, but does anybody have a prediction how probable it is for such a > thing to happen again? There were two issues. When a security release for the first one was prepared (28 june), I was (by my comaintainer, member of squirrelmail security) as Squirrelmail maintainer informed about it. After discussing with the security team and my co-maintainer, we decided to make it one update, also considering the severity of the issue, and limited available time on my part at least. The DSA was released on the same day as the second issue was published (embargo expired). So, the delay was a judgement call, and I still think it was the right thing to do, especially since it took a bit of time to find a suiteable patch for some of the more hairy issues (esp in woody). The biggest reason though might have been that I had not much time at all the past weeks for this. Do note that the buildd network for security had nothing to do with this, as squirrelmail is a purely architecture: all package. > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? The security team follows bugtraq, and a lot of others do so too. In squirrelmail's case, one of the upstream security guys is co-maintainer of the Debian package. If you take the effort to look at the bug page, you'll notice that we were well aware, and working on it. > Or will there be other measures in place to see that security issues are > noticed quickly for all packages- even for strange tools that > are not used by normal unix-centered developers? Noticed doesn't mean that people immediately go out of their way to create an update the same day, we're still a volunteer organisation, and bear in mind that not all issues are equally severe. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann ([EMAIL PROTECTED]) [050714 17:58]: > I do not want to rude in any way- please try to excuse my way of putting > things, but does anybody have a prediction how probable it is for such a > thing to happen again? > > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? We are about to add more ressources to that role. Also, new cvs ids are checked to see whether they apply to Debian or not. Cheers, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thursday 14 July 2005 22:03, Fredrik "Demonen" Vold wrote: > I think it's possible for a script to list all installed packages, > then check each of them against the bug report system to see if the > installed version has a security bug filed against it. > > Maybe if some autmated system on the server would generate a > "Security.gz" or something else similar to the package list for > apt? I really don't know enough of the bug tracking system to know > if this is possible, but it opens up alot of possibilities if it > is. There is a page listing all security bugs: http://qa.debian.org/bts-security.html And a quick hack to extract only the bugs for installed packages is at http://www.sfritsch.de/debian/list-bts-security (uses apt-show-versions and libwww-perl). Probably it would be nice to add some functionality to only show the differences from the last run... Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Greetings, Am Donnerstag, 14. Juli 2005 17:40 schrieb Herwig Wittmann: > Hi! > > I am trying to understand if my organization can rely on the debian > security announcement mailing list as only source of security alerts in > the future. > > This would be very convenient- but the delay that seems to have passed > between the original squirrelmail security announcement and the time I > received the alert via [EMAIL PROTECTED] is worrying: If you've been following debian for at least a couple of months, you got to know, that this issue was fixed rather fast. However, my - one and only - advice in this case is: Don't use debian packages, if this is vital for you! Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
> More important is to know if you are vulnerable. Yeah. I agree. I purpose a slight addition to dpkg: dpkg-secure I think it's possible for a script to list all installed packages, then check each of them against the bug report system to see if the installed version has a security bug filed against it. Maybe if some autmated system on the server would generate a "Security.gz" or something else similar to the package list for apt? I really don't know enough of the bug tracking system to know if this is possible, but it opens up alot of possibilities if it is. One could then run a cronjob (or whatever) for dpkg-secure and it would report any of the packages that are both installed and have a security-tagged bug assosiated with it. The result, of course, would end up in whomever crond emails it's output to. No insecure packages installed would generate no output and thus no email. Maybe there could be two states? "Insecure, unpatched" and "insecure, patched"? That way an output parser would know what to apt-get and what to scream to root about. The output might involve an address to the relevant bug report or even parts of the report itself. Ofcourse, any bugs that are kept "secret" because they're easy for skiddies to reproduce (or whatever) would not show up here either. Welcome to Earth. It's imperfect. Anyone, feel free to pick apart my idea, and please inform me if such a system exists and I've completely missed it. -- Fredrik "Demonen" Vold /* - Do not meddle in the affairs of dragons, for you are crunchy and good with ketchup. */
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann <[EMAIL PROTECTED]> [050714 17:58]: > I am trying to understand if my organization can rely on the debian > security announcement mailing list as only source of security alerts in > the future. I think even when there are no temporary problems with the security infrastructure, this is not enough. Debian's security announcement list (and I think most other vendors' lists) only announce new patched or updated packages. More important is to know if you are vulnerable. Not every service is vital, many things can be worked around temporarily, or made impossible due to local circumstances. And as long it is not a vulnerability found in a audit and only told the security teams, the time between theese two events (knowledge about the problem and availability of updated packages) is non-zero even with a perfect security team. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote: > This would be very convenient- but the delay that seems to have passed > between the original squirrelmail security announcement and the time I > received the alert via [EMAIL PROTECTED] is worrying: > > The Vulnerability seems to have been described a few weeks ago: > http://www.squirrelmail.org/security/issue/2005-06-15 > > The Debian Security Advisory 756-1 is dated July 13th, 2005. This has been discussed already in the archives, you should probably refer to those rather than reviving the subject. eg the following three threads: http://lists.debian.org/debian-security/2005/06/msg00055.html http://lists.debian.org/debian-security/2005/06/msg00097.html http://lists.debian.org/debian-security/2005/06/msg00142.html > I do not want to rude in any way- please try to excuse my way of putting > things, but does anybody have a prediction how probable it is for such a > thing to happen again? It's unknown whether the build infrastructure problems will recur, machines do die so it's possible. The communication problems leading to various misunderstandings I hope will be less likely to reoccur. > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? The security team do follow bugtraq, etc. Filing bugs with patches is a useful thing to do - but forwarding a message that has been posted publically already is perhaps less useful. It's not like there's not enough spam mail sent to [EMAIL PROTECTED] already ;) > Or will there be other measures in place to see that security issues are > noticed quickly for all packages- even for strange tools that > are not used by normal unix-centered developers? I'm unsure exactly what you are suggesting about less popular tools. Sure if five issues need fixing simultaneously the "less used" is liable to suffer if there's a more important bug. Still even less popular tools are supported, all packages should receive updates eventually. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
On Thu, Jul 14, 2005 at 05:40:22PM +0200, Herwig Wittmann wrote: > Hi! > > I am trying to understand if my organization can rely on the debian > security announcement mailing list as only source of security alerts in > the future. > > This would be very convenient- but the delay that seems to have passed > between the original squirrelmail security announcement and the time I > received the alert via [EMAIL PROTECTED] is worrying: > > The Vulnerability seems to have been described a few weeks ago: > http://www.squirrelmail.org/security/issue/2005-06-15 > > The Debian Security Advisory 756-1 is dated July 13th, 2005. > > > I do not want to rude in any way- please try to excuse my way of putting > things, but does anybody have a prediction how probable it is for such a > thing to happen again? > > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? > > Or will there be other measures in place to see that security issues are > noticed quickly for all packages- even for strange tools that > are not used by normal unix-centered developers? > > Kind regards, > Herwig Wittmann Herwig, I hope this link will help http://newraff.debian.org/~joeyh/stable-security.html Regards, Paddy -- Perl 6 will give you the big knob. -- Larry Wall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
* Herwig Wittmann: > I do not want to rude in any way- please try to excuse my way of > putting things, but does anybody have a prediction how probable it > is for such a thing to happen again? Delays in the order of weeks are pretty standard, and not always they are caused by embargoes. It's a bit unfortunate that the "48 hours" claim is still on the web page. > Is there a role/function in debian that is responsible for reviewing > bugtraq or similiar sources, and is ensured that this role is fulfilled > every day? Not very formalized, but we have several persons doing public monitoring. They file bug reports in Debian's Bug Tracking System when they encounter public reports of security bugs. For the most exposed packages you use, you should subscribe to the package-specific email feed which is provided by the Package Tracking System: http://packages.qa.debian.org/s/squirrelmail.html Usually, security bugs reported publicly are filed on the same day in the Debian BTS, especially if the package has quite a few users. The DSA will be released when a security update for the stable distribute is available. As you've noticed, there can be quite some delay. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Timeliness of Debian Security Announceness? (DSA 756-1 Squirrelmail)
Hi! I am trying to understand if my organization can rely on the debian security announcement mailing list as only source of security alerts in the future. This would be very convenient- but the delay that seems to have passed between the original squirrelmail security announcement and the time I received the alert via [EMAIL PROTECTED] is worrying: The Vulnerability seems to have been described a few weeks ago: http://www.squirrelmail.org/security/issue/2005-06-15 The Debian Security Advisory 756-1 is dated July 13th, 2005. I do not want to rude in any way- please try to excuse my way of putting things, but does anybody have a prediction how probable it is for such a thing to happen again? Is there a role/function in debian that is responsible for reviewing bugtraq or similiar sources, and is ensured that this role is fulfilled every day? Or will there be other measures in place to see that security issues are noticed quickly for all packages- even for strange tools that are not used by normal unix-centered developers? Kind regards, Herwig Wittmann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]