linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-25 07:42:13 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
4184d4d4ca
glfs/postlfs/security/vulnerabilities.xml
Chris Staub f6f07b6b6d Updated link to gentoo security 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@15925 af4574ff-66df-0310-9fd7-8a98e5e911e0
2015-05-03 16:44:03 +00:00

87 lines
4.0 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
<sect1 id="vulnerabilities" xreflabel="vulnerabilities">
<?dbhtml filename="vulnerabilities.html"?>
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<title>Vulnerabilities</title>
<!-- section g : 'Others' in longindex.html -->
<indexterm zone="vulnerabilities">
<primary sortas="g-vulnerabilities">vulnerability links</primary>
</indexterm>
<sect2 role="package">
<title>About vulnerabilities</title>
<para>All software has bugs. Sometimes, a bug can be exploited, for example
to allow users to gain enhanced privileges (perhaps gaining a root shell, or
simply accessing or deleting other user&apos;s files), or to allow a remote
site to crash an application (denial of service), or for theft of data. These
bugs are labelled as vulnerabilities.</para>
<para>The main place where vulnerabilities get logged is
<ulink url="http://cve.mitre.org">cve.mitre.org</ulink>.
Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only
labelled as "reserved" when distributions start issuing fixes. Also, some
vulnerabilities apply to particular combinations of
<command>configure</command> options, or only apply to old versions of
packages which have long since been updated in BLFS.</para>
<para>BLFS differs from distributions - there is no BLFS security team, and
the editors only become aware of vulnerabilities after they are public
knowledge. Sometimes, a package with a vulnerability will not be updated in
the book for a long time. Issues can be logged in the Trac system, which
might speed up resolution.</para>
<para>The normal way for BLFS to fix a vulnerability is, ideally, to update
the book to a new fixed release of the package. Sometimes that happens even
before the vulnerability is public knowledge, so there is no guarantee that
it will be shown as a vulnerability fix in the Changelog. Alternatively, a
<command>sed</command> command, or a patch taken from a distribution, may be
appropriate.</para>
<para>The bottom line is that you are responsible for your own security, and
for assessing the potential impact of any problems.</para>
<para>To keep track of what is being discovered, you may wish to follow the
security announcements of one or more distributions. For example, Debian has
<ulink url="http://www.debian.org/security">Debian security</ulink>.
Fedora's links on security are at
<ulink url="http://fedoraproject.org/wiki/Security">the Fedora wiki</ulink>.
Details of Gentoo linux security announcements are discussed at
<ulink url="https://security.gentoo.org">Gentoo security</ulink>.
Finally, the Slackware archives of security announcements are at
<ulink url="http://slackware.com/security">Slackware security</ulink>.
</para>
<para>The most general English source is perhaps
<ulink url="http://seclists.org/fulldisclosure">the Full Disclosure Mailing
List</ulink>, but please read the comment on that page. If you use other
languages you may prefer other sites such as http://www.heise.de/security
<ulink url="http://www.heise.de/security">heise.de</ulink> (German) or
<ulink url="http://www.cert.hr">cert.hr</ulink> (Croatian). These are not
linux-specific. There is also a daily update at lwn.net for subscribers
(free access to the data after 2 weeks, but their vulnerabilities database at
<ulink url="http://lwn.net/Vulnerabilities/">lwn.net/Vulnerabilities</ulink>
is unrestricted).</para>
<para>For some packages, subscribing to their &apos;announce&apos; lists
will provide prompt news of newer versions.</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/vulnerabilities"/></para>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink