Changeset 47274444 for postlfs/security/vulnerabilities.xml
- Timestamp:
- 03/24/2020 07:19:44 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fa3edfef
- Parents:
- 914049f6
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/vulnerabilities.xml
r914049f6 r47274444 24 24 <title>About vulnerabilities</title> 25 25 26 <para>All software has bugs. Sometimes, a bug can be exploited, for example 27 to allow users to gain enhanced privileges (perhaps gaining a root shell, or 28 simply accessing or deleting other user's files), or to allow a remote 29 site to crash an application (denial of service), or for theft of data. These 30 bugs are labelled as vulnerabilities.</para> 31 32 <para>The main place where vulnerabilities get logged is 33 <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. 34 Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only 35 labelled as "reserved" when distributions start issuing fixes. Also, some 36 vulnerabilities apply to particular combinations of 37 <command>configure</command> options, or only apply to old versions of 38 packages which have long since been updated in BLFS.</para> 39 40 <para>BLFS differs from distributions - there is no BLFS security team, and 41 the editors only become aware of vulnerabilities after they are public 42 knowledge. Sometimes, a package with a vulnerability will not be updated in 43 the book for a long time. Issues can be logged in the Trac system, which 44 might speed up resolution.</para> 45 46 <para>The normal way for BLFS to fix a vulnerability is, ideally, to update 47 the book to a new fixed release of the package. Sometimes that happens even 48 before the vulnerability is public knowledge, so there is no guarantee that 49 it will be shown as a vulnerability fix in the Changelog. Alternatively, a 50 <command>sed</command> command, or a patch taken from a distribution, may be 51 appropriate.</para> 52 53 <para>The bottom line is that you are responsible for your own security, and 54 for assessing the potential impact of any problems.</para> 55 56 <para>To keep track of what is being discovered, you may wish to follow the 57 security announcements of one or more distributions. For example, Debian has 58 <ulink url="http://www.debian.org/security">Debian security</ulink>. 59 Fedora's links on security are at 60 <ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>. 61 Details of Gentoo linux security announcements are discussed at 62 <ulink url="https://security.gentoo.org">Gentoo security</ulink>. 63 Finally, the Slackware archives of security announcements are at 64 <ulink url="http://slackware.com/security">Slackware security</ulink>. 26 <para> 27 All software has bugs. Sometimes, a bug can be exploited, for example to 28 allow users to gain enhanced privileges (perhaps gaining a root shell, 29 or simply accessing or deleting other user's files), or to allow a 30 remote site to crash an application (denial of service), or for theft of 31 data. These bugs are labelled as vulnerabilities. 65 32 </para> 66 33 67 <para>The most general English source is perhaps 68 <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing 69 List</ulink>, but please read the comment on that page. If you use other 70 languages you may prefer other sites such as http://www.heise.de/security 71 <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or 72 <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not 73 linux-specific. There is also a daily update at lwn.net for subscribers 74 (free access to the data after 2 weeks, but their vulnerabilities database at 75 <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink> 76 is unrestricted).</para> 34 <para> 35 The main place where vulnerabilities get logged is 36 <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately, 37 many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled 38 as "reserved" when distributions start issuing fixes. Also, some 39 vulnerabilities apply to particular combinations of 40 <command>configure</command> options, or only apply to old versions of 41 packages which have long since been updated in BLFS. 42 </para> 77 43 78 <para>For some packages, subscribing to their 'announce' lists 79 will provide prompt news of newer versions.</para> 44 <para> 45 BLFS differs from distributions—there is no BLFS security team, and 46 the editors only become aware of vulnerabilities after they are public 47 knowledge. Sometimes, a package with a vulnerability will not be updated 48 in the book for a long time. Issues can be logged in the Trac system, 49 which might speed up resolution. 50 </para> 51 52 <para> 53 The normal way for BLFS to fix a vulnerability is, ideally, to update 54 the book to a new fixed release of the package. Sometimes that happens 55 even before the vulnerability is public knowledge, so there is no 56 guarantee that it will be shown as a vulnerability fix in the Changelog. 57 Alternatively, a <command>sed</command> command, or a patch taken from 58 a distribution, may be appropriate. 59 </para> 60 61 <para> 62 The bottom line is that you are responsible for your own security, and 63 for assessing the potential impact of any problems. 64 </para> 65 66 <para> 67 To keep track of what is being discovered, you may wish to follow the 68 security announcements of one or more distributions. For example, Debian 69 has <ulink url="http://www.debian.org/security">Debian security</ulink>. 70 Fedora's links on security are at <ulink 71 url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>. 72 Details of Gentoo linux security announcements are discussed at 73 <ulink url="https://security.gentoo.org">Gentoo security</ulink>. 74 Finally, the Slackware archives of security announcements are at 75 <ulink url="http://slackware.com/security">Slackware security</ulink>. 76 </para> 77 78 <para> 79 The most general English source is perhaps 80 <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure 81 Mailing List</ulink>, but please read the comment on that page. If you 82 use other languages you may prefer other sites such as <ulink 83 url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink 84 url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not 85 linux-specific. There is also a daily update at lwn.net for subscribers 86 (free access to the data after 2 weeks, but their vulnerabilities 87 database at <ulink 88 url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink> 89 is unrestricted). 90 </para> 91 92 <para> 93 For some packages, subscribing to their 'announce' lists 94 will provide prompt news of newer versions. 95 </para> 80 96 81 97 <para condition="html" role="usernotes">User Notes:
Note:
See TracChangeset
for help on using the changeset viewer.