Security updates for Linux distros
This is a discussion on Security updates for Linux distros within the Linux Security forums, part of the System Security and Security Related category; I recently posted a query here about the absence of security updates for Xandros OS. Thanks to all who responded. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-27-2005
|
|||
|
|||
Security updates for Linux distros
I recently posted a query here about the absence of security updates for
Xandros OS. Thanks to all who responded. The last security update for Xandros Desktop OS v.2.0.1 (a "general security update") was issued nine months ago. Since then Debian, on which Xandros is based, has released 179 security advisories (DSA-535 to DSA-714). This includes the following packages most of which are commonly used system files and which are part of the default install of Xandros Desktop: libpng (*536), kdelibs (539), qt (*542), gtk+ (*549), imlib (*548), imlib2 (*549), xfree86 (561), sox (*565), libpng (*570), iptables (580), gzip (588), openssl (603), xfree86 (*607), htget (*611), imlib (*618), cupsys (*621), zip (*624), imlib2 (*628), exim (*635), glibc (*636), cupsys (*645), xine-lib (*657), kdelibs (*714) For details see http://www.debian.org/security/2004/ and http://www.debian.org/security/2005/. I have flagged packages (*) that appear to have fairly serious security vulnerabilities (i.e. vulnerabilities that according to the DSA "may be utilised by an attacker to execute arbitrary code on the victim's machine"). The numbers in brackets are the DSA numbers (DSA = Debian Security Advisory). In most cases, the DSA states "We recommend that you upgrade your xxxxx package", in a few cases it adds "immediately" (e.g. DSA-607 xfree86 xlibs package). Debian has supplied fixes for all of these for the woody distribution. Fixes are also available for many of them for the sid distribution or else, as Debian states, "the problem will be fixed soon". Strangely, for the sarge versions of these packages no patches appear to be available. These packages are part of the base install of practically every Linux distribution. What has been the action of the vendor/developer of your distribution with regard to these vulnerabilities (did they post alerts and fixes?) and what did you decide to do? Can one simply shrug off these alerts as being inconsequential for a desktop machine configured in a standard way, as Xandros appears to have done, or is there cause for concern and action? I'm running Xandros 2.0.1 as a desktop OS; no servers are enabled nor is Windows file sharing. I have a broadband connection to the Internet (computer > NAT router > cable modem > ISP). An iptables firewall (configured with Firestarter 0.92) is installed on my system, with Firestarter's default settings (DHCP, access to all services disabled, ToS filtering and ICMP filtering disabled); the firewall is enabled at bootup. Thanks for your help. Robert 
|
Linear Mode
