mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-25 07:42:13 +08:00
105 lines
4.4 KiB
XML
105 lines
4.4 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
]>
|
|
|
|
<sect1 id="vulnerabilities" xreflabel="vulnerabilities">
|
|
<?dbhtml filename="vulnerabilities.html"?>
|
|
|
|
|
|
<title>Vulnerabilities</title>
|
|
|
|
<!-- section g : 'Others' in longindex.html -->
|
|
<indexterm zone="vulnerabilities">
|
|
<primary sortas="g-vulnerabilities">vulnerability links</primary>
|
|
</indexterm>
|
|
|
|
<sect2 role="package">
|
|
<title>About vulnerabilities</title>
|
|
|
|
<para>
|
|
All software has bugs. Sometimes, a bug can be exploited, for example to
|
|
allow users to gain enhanced privileges (perhaps gaining a root shell,
|
|
or simply accessing or deleting other user's files), or to allow a
|
|
remote site to crash an application (denial of service), or for theft of
|
|
data. These bugs are labelled as vulnerabilities.
|
|
</para>
|
|
|
|
<para>
|
|
The main place where vulnerabilities get logged is
|
|
<ulink url="https://cve.mitre.org">cve.mitre.org</ulink>. Unfortunately,
|
|
many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled
|
|
as "reserved" when distributions start issuing fixes. Also, some
|
|
vulnerabilities apply to particular combinations of
|
|
<command>configure</command> options, or only apply to old versions of
|
|
packages which have long since been updated in BLFS.
|
|
</para>
|
|
|
|
<para>
|
|
BLFS differs from distributions—there is no BLFS security team, and
|
|
the editors only become aware of vulnerabilities after they are public
|
|
knowledge. Sometimes, a package with a vulnerability will not be updated
|
|
in the book for a long time. Issues can be logged in the Trac system,
|
|
which might speed up resolution.
|
|
</para>
|
|
|
|
<para>
|
|
The normal way for BLFS to fix a vulnerability is, ideally, to update
|
|
the book to a new fixed release of the package. Sometimes that happens
|
|
even before the vulnerability is public knowledge, so there is no
|
|
guarantee that it will be shown as a vulnerability fix in the Changelog.
|
|
Alternatively, a <command>sed</command> command, or a patch taken from
|
|
a distribution, may be appropriate.
|
|
</para>
|
|
|
|
<para>
|
|
The bottom line is that you are responsible for your own security, and
|
|
for assessing the potential impact of any problems.
|
|
</para>
|
|
|
|
<para>
|
|
The editors now issue Security Advisories for packages in BLFS (and LFS),
|
|
which can be found at <ulink
|
|
url="https://www.linuxfromscratch.org/blfs/advisories/">BLFS Security
|
|
Advisories</ulink>, and grade the severity according to what upstream
|
|
reports, or to what is shown at <ulink
|
|
url="https://nvd.nist.gov/">nvd.nist.gov</ulink> if that has details.
|
|
</para>
|
|
|
|
<para>
|
|
To keep track of what is being discovered, you may wish to follow the
|
|
security announcements of one or more distributions. For example, Debian
|
|
has <ulink url="https://www.debian.org/security">Debian security</ulink>.
|
|
Fedora's links on security are at <ulink
|
|
url="https://fedoraproject.org/wiki/category:Security">the Fedora wiki</ulink>.
|
|
Details of Gentoo linux security announcements are discussed at
|
|
<ulink url="https://security.gentoo.org">Gentoo security</ulink>.
|
|
Finally, the Slackware archives of security announcements are at
|
|
<ulink url="https://slackware.com/security">Slackware security</ulink>.
|
|
</para>
|
|
|
|
<para>
|
|
The most general English source is perhaps
|
|
<ulink url="https://seclists.org/fulldisclosure">the Full Disclosure
|
|
Mailing List</ulink>, but please read the comment on that page. If you
|
|
use other languages you may prefer other sites such as <ulink
|
|
url="https://www.heise.de/security">heise.de</ulink> (German) or <ulink
|
|
url="https://www.cert.hr">cert.hr</ulink> (Croatian). These are not
|
|
linux-specific. There is also a daily update at lwn.net for subscribers
|
|
(free access to the data after 2 weeks, but their vulnerabilities
|
|
database at <ulink
|
|
url="https://lwn.net/Alerts/">lwn.net/Alerts</ulink>
|
|
is unrestricted).
|
|
</para>
|
|
|
|
<para>
|
|
For some packages, subscribing to their 'announce' lists
|
|
will provide prompt news of newer versions.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|