| 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
|---|
| 2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
|---|
| 5 | %general-entities;
|
|---|
| 6 | ]>
|
|---|
| 7 |
|
|---|
| 8 | <sect1 id="vulnerabilities" xreflabel="vulnerabilities">
|
|---|
| 9 | <?dbhtml filename="vulnerabilities.html"?>
|
|---|
| 10 |
|
|---|
| 11 | <sect1info>
|
|---|
| 12 | <othername>$LastChangedBy$</othername>
|
|---|
| 13 | <date>$Date$</date>
|
|---|
| 14 | </sect1info>
|
|---|
| 15 |
|
|---|
| 16 | <title>Vulnerabilities</title>
|
|---|
| 17 |
|
|---|
| 18 | <!-- section g : 'Others' in longindex.html -->
|
|---|
| 19 | <indexterm zone="vulnerabilities">
|
|---|
| 20 | <primary sortas="g-vulnerabilities">vulnerability links</primary>
|
|---|
| 21 | </indexterm>
|
|---|
| 22 |
|
|---|
| 23 | <sect2 role="package">
|
|---|
| 24 | <title>About vulnerabilities</title>
|
|---|
| 25 |
|
|---|
| 26 | <para>
|
|---|
| 27 | All software has bugs. Sometimes, a bug can be exploited, for example to
|
|---|
| 28 | allow users to gain enhanced privileges (perhaps gaining a root shell,
|
|---|
| 29 | or simply accessing or deleting other user's files), or to allow a
|
|---|
| 30 | remote site to crash an application (denial of service), or for theft of
|
|---|
| 31 | data. These bugs are labelled as vulnerabilities.
|
|---|
| 32 | </para>
|
|---|
| 33 |
|
|---|
| 34 | <para>
|
|---|
| 35 | The main place where vulnerabilities get logged is
|
|---|
| 36 | <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately,
|
|---|
| 37 | many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled
|
|---|
| 38 | as "reserved" when distributions start issuing fixes. Also, some
|
|---|
| 39 | vulnerabilities apply to particular combinations of
|
|---|
| 40 | <command>configure</command> options, or only apply to old versions of
|
|---|
| 41 | packages which have long since been updated in BLFS.
|
|---|
| 42 | </para>
|
|---|
| 43 |
|
|---|
| 44 | <para>
|
|---|
| 45 | BLFS differs from distributions—there is no BLFS security team, and
|
|---|
| 46 | the editors only become aware of vulnerabilities after they are public
|
|---|
| 47 | knowledge. Sometimes, a package with a vulnerability will not be updated
|
|---|
| 48 | in the book for a long time. Issues can be logged in the Trac system,
|
|---|
| 49 | which might speed up resolution.
|
|---|
| 50 | </para>
|
|---|
| 51 |
|
|---|
| 52 | <para>
|
|---|
| 53 | The normal way for BLFS to fix a vulnerability is, ideally, to update
|
|---|
| 54 | the book to a new fixed release of the package. Sometimes that happens
|
|---|
| 55 | even before the vulnerability is public knowledge, so there is no
|
|---|
| 56 | guarantee that it will be shown as a vulnerability fix in the Changelog.
|
|---|
| 57 | Alternatively, a <command>sed</command> command, or a patch taken from
|
|---|
| 58 | a distribution, may be appropriate.
|
|---|
| 59 | </para>
|
|---|
| 60 |
|
|---|
| 61 | <para>
|
|---|
| 62 | The bottom line is that you are responsible for your own security, and
|
|---|
| 63 | for assessing the potential impact of any problems.
|
|---|
| 64 | </para>
|
|---|
| 65 |
|
|---|
| 66 | <para>
|
|---|
| 67 | To keep track of what is being discovered, you may wish to follow the
|
|---|
| 68 | security announcements of one or more distributions. For example, Debian
|
|---|
| 69 | has <ulink url="http://www.debian.org/security">Debian security</ulink>.
|
|---|
| 70 | Fedora's links on security are at <ulink
|
|---|
| 71 | url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
|
|---|
| 72 | Details of Gentoo linux security announcements are discussed at
|
|---|
| 73 | <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
|
|---|
| 74 | Finally, the Slackware archives of security announcements are at
|
|---|
| 75 | <ulink url="http://slackware.com/security">Slackware security</ulink>.
|
|---|
| 76 | </para>
|
|---|
| 77 |
|
|---|
| 78 | <para>
|
|---|
| 79 | The most general English source is perhaps
|
|---|
| 80 | <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure
|
|---|
| 81 | Mailing List</ulink>, but please read the comment on that page. If you
|
|---|
| 82 | use other languages you may prefer other sites such as <ulink
|
|---|
| 83 | url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink
|
|---|
| 84 | url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
|
|---|
| 85 | linux-specific. There is also a daily update at lwn.net for subscribers
|
|---|
| 86 | (free access to the data after 2 weeks, but their vulnerabilities
|
|---|
| 87 | database at <ulink
|
|---|
| 88 | url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
|
|---|
| 89 | is unrestricted).
|
|---|
| 90 | </para>
|
|---|
| 91 |
|
|---|
| 92 | <para>
|
|---|
| 93 | For some packages, subscribing to their 'announce' lists
|
|---|
| 94 | will provide prompt news of newer versions.
|
|---|
| 95 | </para>
|
|---|
| 96 |
|
|---|
| 97 | <para condition="html" role="usernotes">User Notes:
|
|---|
| 98 | <ulink url="&blfs-wiki;/vulnerabilities"/></para>
|
|---|
| 99 |
|
|---|
| 100 | </sect2>
|
|---|
| 101 |
|
|---|
| 102 | </sect1>
|
|---|
