Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Nov 2020 11:35:21 +0100
From: Morten Linderud <foxboron@...hlinux.org>
To: oss-security@...ts.openwall.com
Cc: "David A. Wheeler" <dwheeler@...eeler.com>
Subject: Re: Buffer Overflow in raptor widely unfixed in Linux
 distros

On Mon, Nov 16, 2020 at 08:06:15PM +0100, Marius Bakke wrote:
> I tried following the CVE assignment RSS feed initially, but it was not
> suitable for human consumption.
> 
> How do other distros keep up with new CVE assignments?

Depends. Commercial distributions like Ubuntu, SUSE or RedHat keeps up mostly(?)
fine by throwing money on the problem. The story is very different on volunteer
distributions.

Arch Linux is unable to keep up.

Consuming the CVE feeds in any structured way takes quite a bit of effort, and
then you need the manpower to wade through the assignments. Even if you did
manage to do all this, there might not be a clear reference of the fix in
question. For all you know the assigned CVE is only for the vulnerability and
there is no fix written yet. You simply do not know.

For Arch Linux it's a manpower problem handling the CVEs and writing advisories
for the published packages, along with things sometimes not being very easy to
fix for package maintainers. It is very much a best effort basis.

Severe issues gets handled in a timely fashion, but it always depends on the
time available of the volunteers.

I think a lot can be solved with information sharing and better tooling. There
was an attempt to have an shared IRC channel for distribution security teams,
and I think initiatives like the OpenSSF vulnerability disclosure WG are
important for this.

https://github.com/ossf/wg-vulnerability-disclosures

-- 
Morten Linderud
PGP: 9C02FF419FECBE16

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.