Changeset 47274444 for postlfs/security/vulnerabilities.xml

Timestamp:

03/24/2020 07:19:44 PM (4 years ago)

Author:

Pierre Labastie <pieere@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

fa3edfef

Parents:

914049f6

Message:

Format postlfs/security and misc/forgotten

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22884 af4574ff-66df-0310-9fd7-8a98e5e911e0

File:

• postlfs/security/vulnerabilities.xml (modified) (1 diff)

postlfs/security/vulnerabilities.xml

@@ -24 +24 @@
     <title>About vulnerabilities</title>
 
-    <para>All software has bugs. Sometimes, a bug can be exploited, for example
-    to allow users to gain enhanced privileges (perhaps gaining a root shell, or
-    simply accessing or deleting other user&apos;s files), or to allow a remote
-    site to crash an application (denial of service), or for theft of data. These
-    bugs are labelled as vulnerabilities.</para>
-
-    <para>The main place where vulnerabilities get logged is
-    <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.
-    Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only
-    labelled as "reserved" when distributions start issuing fixes.  Also, some
-    vulnerabilities apply to particular combinations of
-    <command>configure</command> options, or only apply to old versions of
-    packages which have long since been updated in BLFS.</para>
-
-    <para>BLFS differs from distributions - there is no BLFS security team, and
-    the editors only become aware of vulnerabilities after they are public
-    knowledge. Sometimes, a package with a vulnerability will not be updated in
-    the book for a long time.  Issues can be logged in the Trac system, which
-    might speed up resolution.</para>
-
-    <para>The normal way for BLFS to fix a vulnerability is, ideally, to update
-    the book to a new fixed release of the package.  Sometimes that happens even
-    before the vulnerability is public knowledge, so there is no guarantee that
-    it will be shown as a vulnerability fix in the Changelog. Alternatively, a
-    <command>sed</command> command, or a patch taken from a distribution, may be
-    appropriate.</para>
-
-    <para>The bottom line is that you are responsible for your own security, and
-    for assessing the potential impact of any problems.</para>
-
-    <para>To keep track of what is being discovered, you may wish to follow the
-    security announcements of one or more distributions.  For example, Debian has
-    <ulink url="http://www.debian.org/security">Debian security</ulink>.
-    Fedora's links on security are at
-    <ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
-    Details of Gentoo linux security announcements are discussed at
-    <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
-    Finally, the Slackware archives of security announcements are at
-    <ulink url="http://slackware.com/security">Slackware security</ulink>.
+    <para>
+      All software has bugs. Sometimes, a bug can be exploited, for example to
+      allow users to gain enhanced privileges (perhaps gaining a root shell,
+      or simply accessing or deleting other user&apos;s files), or to allow a
+      remote site to crash an application (denial of service), or for theft of
+      data. These bugs are labelled as vulnerabilities.
     </para>
 
-    <para>The most general English source is perhaps
-    <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing
-    List</ulink>, but please read the comment on that page. If you use other
-    languages you may prefer other sites such as http://www.heise.de/security
-    <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or
-    <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
-    linux-specific. There is also a daily update at lwn.net for subscribers
-    (free access to the data after 2 weeks, but their vulnerabilities database at
-    <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
-    is unrestricted).</para>
+    <para>
+      The main place where vulnerabilities get logged is
+      <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately,
+      many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled
+      as "reserved" when distributions start issuing fixes.  Also, some
+      vulnerabilities apply to particular combinations of
+      <command>configure</command> options, or only apply to old versions of
+      packages which have long since been updated in BLFS.
+    </para>
 
-    <para>For some packages, subscribing to their &apos;announce&apos; lists
-    will provide prompt news of newer versions.</para>
+    <para>
+      BLFS differs from distributions&mdash;there is no BLFS security team, and
+      the editors only become aware of vulnerabilities after they are public
+      knowledge. Sometimes, a package with a vulnerability will not be updated
+      in the book for a long time.  Issues can be logged in the Trac system,
+      which might speed up resolution.
+    </para>
+
+    <para>
+      The normal way for BLFS to fix a vulnerability is, ideally, to update
+      the book to a new fixed release of the package.  Sometimes that happens
+      even before the vulnerability is public knowledge, so there is no
+      guarantee that it will be shown as a vulnerability fix in the Changelog.
+      Alternatively, a <command>sed</command> command, or a patch taken from
+      a distribution, may be appropriate.
+    </para>
+
+    <para>
+      The bottom line is that you are responsible for your own security, and
+      for assessing the potential impact of any problems.
+    </para>
+
+    <para>
+      To keep track of what is being discovered, you may wish to follow the
+      security announcements of one or more distributions. For example, Debian
+      has <ulink url="http://www.debian.org/security">Debian security</ulink>.
+      Fedora's links on security are at <ulink
+        url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
+      Details of Gentoo linux security announcements are discussed at
+      <ulink url="https://security.gentoo.org">Gentoo security</ulink>.
+      Finally, the Slackware archives of security announcements are at
+      <ulink url="http://slackware.com/security">Slackware security</ulink>.
+    </para>
+
+    <para>
+      The most general English source is perhaps
+      <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure
+      Mailing List</ulink>, but please read the comment on that page. If you
+      use other languages you may prefer other sites such as <ulink
+        url="http://www.heise.de/security">heise.de</ulink> (German) or <ulink
+        url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
+      linux-specific. There is also a daily update at lwn.net for subscribers
+      (free access to the data after 2 weeks, but their vulnerabilities
+      database at <ulink
+        url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
+      is unrestricted).
+    </para>
+
+    <para>
+      For some packages, subscribing to their &apos;announce&apos; lists
+      will provide prompt news of newer versions.
+    </para>
 
     <para condition="html" role="usernotes">User Notes: