145 unique vulnerabilities in linux in 2001
Results 1 to 6 of 6

Thread: 145 unique vulnerabilities in linux in 2001

  1. #1
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535

    145 unique vulnerabilities in linux in 2001

    Hi all,





    Today I read this on : http://lwn.net/





    Whew. That is a total of 290 updates for 145 unique vulnerabilities. It would seem that the vnunet article actually underestimated the problem. A quick look at the totals suggests that Turbolinux is the most secure distribution with only 28 updates, while Debian and Mandrake top the list at 81. It must be time to put out a press release. That is, of course, complete nonsense. Why do the different distributors have different numbers of updates? Here's a few reasons: Not all distributors ship the same packages. Debian, due to its size, is almost guaranteed to have more issues than any other distribution. Very few others ship packages like cfingerd or xtel. Distributors sometimes combine multiple fixes into a single update - especially if they are running behind. The number of updates puts a lower bound on the number of security problems fixed, but doesn't tell much more than that. Some distributors are rather better at getting updates out than others. All distributions, for example, were vulnerable to the latest glibc buffer overflow problem. Debian's update came out in January, and thus didn't quite make the 2001 table. Turbolinux has yet to issue an update for that problem, and for many others. If you simply count and compare updates, you will penalize the distributions that are more serious about security. In other words, we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time. In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities. One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient.
    I thought you might like to know this...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    pays to stay on top of this ....
    Trappedagainbyperfectlogic.

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    689
    Nice article jinx, I had read it before and noticed that a lot of the vulnerabilities were distribution specific. In other words there might have been 20 vulnerabilities in mandrake, but they wouldnt work on redhat. Another thing I noticed was that the vulnerabilities were on older distributions. The comparison was between win2000/NT and all distros of linux and all versions of those distros. This is an unfair comparison. Thats like comparing Mandrake 8.1 and redhat 7.2 against Win98, Me, NT(all versions), XP, 95, 3.1, DOS, and all the others.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Technically, the subject is incorrect. These vulnerabilities are part of packages that come with distributions (as Preacher mentioned), NOT vulnerabilities in linux itself.

    As Preacher mentioned, the list is rather distribution specific. What would be more interesting in my eyes is the difference in patch time between Windows and linux. Most frequently, I've found that patches for linux-based software are available within a day or two of the flaw being discovered, whereas with Microsoft's system, it can take weeks.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Good post JinX .

    ThePreacher is right. If this would be a "fair" comparison between MS and Linux they should have compared it by dists and vulnerabilitie level not by all vulnerabilities found. I read a similiar comparison with RH 7.2 and Win but I seem to have displaced the article.

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    good post.

    would add somethng to chsh's comment. Many times the patch or fix in msoft not only takes weeks but often months or not at all. They say to get the upgrade more often than not.

    this has several consequences:

    you are kept in the upgrade chain, thus paying to ensure more error prone items for release

    they don't expend resources to fix the problem

    they remove the product from active support, thereby renouncing their effective liability

    they then launch an "information session" where their product evangelists (I hate that term)
    go a preach the new snakeoil

    They can claim to be offering new goods when often it is just repackaged

    I hope this does not depress anyone.
    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •