source: postlfs/security/vulnerabilities.xml@ 86ebbad

11.0 qt5new trunk
Last change on this file since 86ebbad was 86ebbad, checked in by Ken Moffat <ken@…>, 3 months ago

Vulnerabilities: link to our own advisories.

  • Property mode set to 100644
File size: 4.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="vulnerabilities" xreflabel="vulnerabilities">
9 <?dbhtml filename="vulnerabilities.html"?>
10
11 <sect1info>
12 <date>$Date$</date>
13 </sect1info>
14
15 <title>Vulnerabilities</title>
16
17 <!-- section g : 'Others' in longindex.html -->
18 <indexterm zone="vulnerabilities">
19 <primary sortas="g-vulnerabilities">vulnerability links</primary>
20 </indexterm>
21
22 <sect2 role="package">
23 <title>About vulnerabilities</title>
24
25 <para>
26 All software has bugs. Sometimes, a bug can be exploited, for example to
27 allow users to gain enhanced privileges (perhaps gaining a root shell,
28 or simply accessing or deleting other user&apos;s files), or to allow a
29 remote site to crash an application (denial of service), or for theft of
30 data. These bugs are labelled as vulnerabilities.
31 </para>
32
33 <para>
34 The main place where vulnerabilities get logged is
35 <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately,
36 many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled
37 as "reserved" when distributions start issuing fixes. Also, some
38 vulnerabilities apply to particular combinations of
39 <command>configure</command> options, or only apply to old versions of
40 packages which have long since been updated in BLFS.
41 </para>
42
43 <para>
44 BLFS differs from distributions&mdash;there is no BLFS security team, and
45 the editors only become aware of vulnerabilities after they are public
46 knowledge. Sometimes, a package with a vulnerability will not be updated
47 in the book for a long time. Issues can be logged in the Trac system,
48 which might speed up resolution.
49 </para>
50
51 <para>
52 The normal way for BLFS to fix a vulnerability is, ideally, to update
53 the book to a new fixed release of the package. Sometimes that happens
54 even before the vulnerability is public knowledge, so there is no
55 guarantee that it will be shown as a vulnerability fix in the Changelog.
56 Alternatively, a <command>sed</command> command, or a patch taken from
57 a distribution, may be appropriate.
58 </para>
59
60 <para>
61 The bottom line is that you are responsible for your own security, and
62 for assessing the potential impact of any problems.
63 </para>
64
65 <para>
66 The editors now issue Security Advisories for packages in BLFS (and LFS),
67 which can be found at <ulink
68 url="https://www.linuxfromscratch.org/blfs/advisories/">BLFS Security
69 Advisories</ulink>, and grade the severity according to what upstream
70 reports, or to what is shown at <ulink
71 url="https://nvd.nist.gov/">nvd.nist.gov</ulink> if that has details.
72 </para>
73
74 <para>
75 To keep track of what is being discovered, you may wish to follow the
76 security announcements of one or more distributions. For example, Debian
77 has <ulink url="http://www.debian.org/security">Debian security</ulink>.
78 Fedora's links on security are at <ulink
79 url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
80 Details of Gentoo linux security announcements are discussed at
81 <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
82 Finally, the Slackware archives of security announcements are at
83 <ulink url="http://slackware.com/security">Slackware security</ulink>.
84 </para>
85
86 <para>
87 The most general English source is perhaps
88 <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure
89 Mailing List</ulink>, but please read the comment on that page. If you
90 use other languages you may prefer other sites such as <ulink
91 url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink
92 url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
93 linux-specific. There is also a daily update at lwn.net for subscribers
94 (free access to the data after 2 weeks, but their vulnerabilities
95 database at <ulink
96 url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
97 is unrestricted).
98 </para>
99
100 <para>
101 For some packages, subscribing to their &apos;announce&apos; lists
102 will provide prompt news of newer versions.
103 </para>
104
105 <para condition="html" role="usernotes">User Notes:
106 <ulink url="&blfs-wiki;/vulnerabilities"/></para>
107
108 </sect2>
109
110</sect1>
Note: See TracBrowser for help on using the repository browser.