glfs/postlfs/security/vulnerabilities.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
]>

<sect1 id="vulnerabilities" xreflabel="vulnerabilities">
  <?dbhtml filename="vulnerabilities.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Vulnerabilities</title>

  <!-- section g : 'Others' in longindex.html -->
  <indexterm zone="vulnerabilities">
    <primary sortas="g-vulnerabilities">vulnerability links</primary>
  </indexterm>

  <sect2 role="package">
    <title>About vulnerabilities</title>

    <para>All software has bugs. Sometimes, a bug can be exploited, for example
    to allow users to gain enhanced privileges (perhaps gaining a root shell, or
    simply accessing or deleting other users&apos; files), or to allow a remote
    site to crash an application (denial of service), or for theft of data. These
    bugs are labelled as vulnerabilities.</para>

    <para>The main place where vulnerabilities get logged is
    <ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.
    Unfortunately, many vulnerabily numbers (CVE-yyyy-nnnn) are initially only
    labelled as "reserved" when distributions start issuing fixes.  Also, some
    vulnerabilities apply to particular combinations of
    <command>configure</command> options, or only apply to old versions of
    packages which have long since been updated in BLFS.</para>

    <para>BLFS differs from distributions - there is no BLFS security team and
    the editors only become aware of vulnerabilities after they are public
    knowledge. Sometimes, a package with a vulnerability will not be updated in
    the book for a long time.  Issues can be logged in the trac system, which
    might speed up resolution.</para>

    <para>The normal way for BLFS to fix a vulnerability is, ideally, to update
    the book to a new fixed releasse of the package.  Sometimes that happens even
    before the vulnerability is public knowledge, so there is no guarantee that
    it will be shown as a vulnerability fix in the Changelog. Alternatively, a
    <command>sed</command> command, or a patch taken from a distribution, may be
    appropriate.</para>

    <para>The bottom line is that you are responsible for your own security, and
    for assessing the potential impact of any problems.</para>

    <para>To keep track of what is being discovered, you may wish to follow the
    security announcements of one or more distributions.  For example, debian have
    <ulink url="http://www.debian.org/security">debian security</ulink>.
    fedora links on security are at
    <ulink url="http://fedoraproject.org/wiki/Security">the fedora wiki</ulink>.
    details of gentoo linux security announcements are discussed at
    <ulink url="http://www.gentoo.org/security">gentoo security</ulink>.
    and the Slackware archives of security announcements are at
    <ulink url="http://slackware.com/security">slackware security</ulink>.
    </para>

    <para>The most general English source is perhaps
    <ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing
    List</ulink>, but please read the comment on that page. If you use other
    languages you may prefer other sites such as http://www.heise.de/security
    <ulink url="http://www.heise.de/security">heise.de</ulink> (German) or
    <ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
    linux-specific. There is also a daily update at lwn.net for subscribers
    (free access to the data after 2 weeks), but their vulnerabilities database at
    <ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
    is unrestricted).</para>

    <para>For some packages, subscribing to their &apos;announce&apos; lists
    will provide prompt news of newer versions.</para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/vulnerabilities"/></para>

  </sect2>

</sect1>
Add pages on libraries and vulnerabilities, icewm-1.3.7, gvolwheel-1.0.0 and retire gnome-media. git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10406 af4574ff-66df-0310-9fd7-8a98e5e911e0 2012-07-10 02:31:25 +08:00			`<?xml version="1.0" encoding="ISO-8859-1"?>`
			`<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"`
			`"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [`
			`<!ENTITY % general-entities SYSTEM "../../general.ent">`
			`%general-entities;`
			`]>`

			`<sect1 id="vulnerabilities" xreflabel="vulnerabilities">`
			`<?dbhtml filename="vulnerabilities.html"?>`

			`<sect1info>`
			`<othername>$LastChangedBy$</othername>`
			`<date>$Date$</date>`
			`</sect1info>`

			`<title>Vulnerabilities</title>`

			`<!-- section g : 'Others' in longindex.html -->`
			`<indexterm zone="vulnerabilities">`
			`<primary sortas="g-vulnerabilities">vulnerability links</primary>`
			`</indexterm>`

			`<sect2 role="package">`
			`<title>About vulnerabilities</title>`

			`<para>All software has bugs. Sometimes, a bug can be exploited, for example`
			`to allow users to gain enhanced privileges (perhaps gaining a root shell, or`
			`simply accessing or deleting other users' files), or to allow a remote`
			`site to crash an application (denial of service), or for theft of data. These`
			`bugs are labelled as vulnerabilities.</para>`

			`<para>The main place where vulnerabilities get logged is`
			`<ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.`
			`Unfortunately, many vulnerabily numbers (CVE-yyyy-nnnn) are initially only`
			`labelled as "reserved" when distributions start issuing fixes. Also, some`
			`vulnerabilities apply to particular combinations of`
			`<command>configure</command> options, or only apply to old versions of`
			`packages which have long since been updated in BLFS.</para>`

			`<para>BLFS differs from distributions - there is no BLFS security team and`
			`the editors only become aware of vulnerabilities after they are public`
			`knowledge. Sometimes, a package with a vulnerability will not be updated in`
			`the book for a long time. Issues can be logged in the trac system, which`
			`might speed up resolution.</para>`

			`<para>The normal way for BLFS to fix a vulnerability is, ideally, to update`
			`the book to a new fixed releasse of the package. Sometimes that happens even`
			`before the vulnerability is public knowledge, so there is no guarantee that`
			`it will be shown as a vulnerability fix in the Changelog. Alternatively, a`
			`<command>sed</command> command, or a patch taken from a distribution, may be`
			`appropriate.</para>`

			`<para>The bottom line is that you are responsible for your own security, and`
			`for assessing the potential impact of any problems.</para>`

			`<para>To keep track of what is being discovered, you may wish to follow the`
			`security announcements of one or more distributions. For example, debian have`
			`<ulink url="http://www.debian.org/security">debian security</ulink>.`
			`fedora links on security are at`
			`<ulink url="http://fedoraproject.org/wiki/Security">the fedora wiki</ulink>.`
			`details of gentoo linux security announcements are discussed at`
			`<ulink url="http://www.gentoo.org/security">gentoo security</ulink>.`
			`and the Slackware archives of security announcements are at`
			`<ulink url="http://slackware.com/security">slackware security</ulink>.`
			`</para>`

			`<para>The most general English source is perhaps`
			`<ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing`
			`List</ulink>, but please read the comment on that page. If you use other`
			`languages you may prefer other sites such as http://www.heise.de/security`
			`<ulink url="http://www.heise.de/security">heise.de</ulink> (German) or`
			`<ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not`
			`linux-specific. There is also a daily update at lwn.net for subscribers`
			`(free access to the data after 2 weeks), but their vulnerabilities database at`
			`<ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>`
			`is unrestricted).</para>`

			`<para>For some packages, subscribing to their 'announce' lists`
			`will provide prompt news of newer versions.</para>`

			`<para condition="html" role="usernotes">User Notes:`
			`<ulink url="&blfs-wiki;/vulnerabilities"/></para>`

			`</sect2>`

			`</sect1>`