Javier Fernández-Sanguino Peña wrote:
> I have finished writting the paper for the security workshop I proposed for
> Debconf6: "Weeding out security bugs". I would *really* appreciate if
> somebody could read it and comment on it, you can find it here:
> http://people.debian.org/~jfs/debconf6/#security
Some brief comments:
- The NVD vulnerability classifications aren't very useful IMO, better use
the classications used in the DSAs.
- Coverity Prevent has only found a single genuine security problem so far
(a local privilege escalation in x.org due to a typo, which caused a
condition always to be true), it mostly finds unused variables and such
- For chapter 4: Don't put arbitrary junk into the archive, we've had DSAs for
software, which had more CVE IDs fixed than voting popcon users and we have
software in the archive, that has a security history like this:
gallery2 (2.0.1-1) unstable; urgency=high
.
* New upstream release (Closes: #333961)
+ Urgency high due to security issue (Input sanitization)
gallery2 (2.0.2-1) unstable; urgency=high
.
* New upstream release (Closes: #341270)
+ Urgency high due to security issues
- Fixes security flaw in zipcart that could allow remote
visitors to view sensitive files on your webserver
- fixes an XSS issue in add-from-web
- Obscures the naming of the install.log file
gallery2 (2.0.3-1) unstable; urgency=high
.
* New upstream release (Closes: #355009)
+ Urgency high due to security issues
- Fixes minor XSS issue
- Fixes session code issue that could allow users to remotely delete
session files
gallery2 (2.0.4-1) unstable; urgency=high
.
* New upstream release (Closes: #356446)
+ Urgency high due to security issues
- Fixes local inclusion exploit available when register_globals is on
- For chapter 5: We'll have quite good mitigation techniques in Etch; namely
address space randomization in the kernel and safe builtins in GCC 4.1.
Cheers,
Moritz
|
