1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="vulnerabilities" xreflabel="vulnerabilities">
|
---|
9 | <?dbhtml filename="vulnerabilities.html"?>
|
---|
10 |
|
---|
11 | <sect1info>
|
---|
12 | <othername>$LastChangedBy$</othername>
|
---|
13 | <date>$Date$</date>
|
---|
14 | </sect1info>
|
---|
15 |
|
---|
16 | <title>Vulnerabilities</title>
|
---|
17 |
|
---|
18 | <!-- section g : 'Others' in longindex.html -->
|
---|
19 | <indexterm zone="vulnerabilities">
|
---|
20 | <primary sortas="g-vulnerabilities">vulnerability links</primary>
|
---|
21 | </indexterm>
|
---|
22 |
|
---|
23 | <sect2 role="package">
|
---|
24 | <title>About vulnerabilities</title>
|
---|
25 |
|
---|
26 | <para>All software has bugs. Sometimes, a bug can be exploited, for example
|
---|
27 | to allow users to gain enhanced privileges (perhaps gaining a root shell, or
|
---|
28 | simply accessing or deleting other user's files), or to allow a remote
|
---|
29 | site to crash an application (denial of service), or for theft of data. These
|
---|
30 | bugs are labelled as vulnerabilities.</para>
|
---|
31 |
|
---|
32 | <para>The main place where vulnerabilities get logged is
|
---|
33 | <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.
|
---|
34 | Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only
|
---|
35 | labelled as "reserved" when distributions start issuing fixes. Also, some
|
---|
36 | vulnerabilities apply to particular combinations of
|
---|
37 | <command>configure</command> options, or only apply to old versions of
|
---|
38 | packages which have long since been updated in BLFS.</para>
|
---|
39 |
|
---|
40 | <para>BLFS differs from distributions - there is no BLFS security team, and
|
---|
41 | the editors only become aware of vulnerabilities after they are public
|
---|
42 | knowledge. Sometimes, a package with a vulnerability will not be updated in
|
---|
43 | the book for a long time. Issues can be logged in the Trac system, which
|
---|
44 | might speed up resolution.</para>
|
---|
45 |
|
---|
46 | <para>The normal way for BLFS to fix a vulnerability is, ideally, to update
|
---|
47 | the book to a new fixed release of the package. Sometimes that happens even
|
---|
48 | before the vulnerability is public knowledge, so there is no guarantee that
|
---|
49 | it will be shown as a vulnerability fix in the Changelog. Alternatively, a
|
---|
50 | <command>sed</command> command, or a patch taken from a distribution, may be
|
---|
51 | appropriate.</para>
|
---|
52 |
|
---|
53 | <para>The bottom line is that you are responsible for your own security, and
|
---|
54 | for assessing the potential impact of any problems.</para>
|
---|
55 |
|
---|
56 | <para>To keep track of what is being discovered, you may wish to follow the
|
---|
57 | security announcements of one or more distributions. For example, Debian has
|
---|
58 | <ulink url="http://www.debian.org/security">Debian security</ulink>.
|
---|
59 | Fedora's links on security are at
|
---|
60 | <ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
|
---|
61 | Details of Gentoo linux security announcements are discussed at
|
---|
62 | <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
|
---|
63 | Finally, the Slackware archives of security announcements are at
|
---|
64 | <ulink url="http://slackware.com/security">Slackware security</ulink>.
|
---|
65 | </para>
|
---|
66 |
|
---|
67 | <para>The most general English source is perhaps
|
---|
68 | <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing
|
---|
69 | List</ulink>, but please read the comment on that page. If you use other
|
---|
70 | languages you may prefer other sites such as http://www.heise.de/security
|
---|
71 | <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or
|
---|
72 | <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
|
---|
73 | linux-specific. There is also a daily update at lwn.net for subscribers
|
---|
74 | (free access to the data after 2 weeks, but their vulnerabilities database at
|
---|
75 | <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
|
---|
76 | is unrestricted).</para>
|
---|
77 |
|
---|
78 | <para>For some packages, subscribing to their 'announce' lists
|
---|
79 | will provide prompt news of newer versions.</para>
|
---|
80 |
|
---|
81 | <para condition="html" role="usernotes">User Notes:
|
---|
82 | <ulink url="&blfs-wiki;/vulnerabilities"/></para>
|
---|
83 |
|
---|
84 | </sect2>
|
---|
85 |
|
---|
86 | </sect1>
|
---|