1 |
On Sat, 17 May 2008, Byron wrote: |
2 |
|
3 |
> It's something of a "lesser of two evils" situation. In the absence of |
4 |
> evidence either way, the only habit that would be worse is assuming that |
5 |
> any distribution is not affected, simply because they do not publicly state |
6 |
> that they are. Having said that, it's good to know that apparently Gentoo |
7 |
> is not impacted. |
8 |
> |
9 |
|
10 |
Hi, |
11 |
|
12 |
- when a vulnerability has been found inside the package, the package is |
13 |
vulnerable, it's not claimed to be distro-specific, and by default you |
14 |
are right in assuming that every distro is affected. |
15 |
|
16 |
- when a vulnerability has been found in a *distro-specific* patch or |
17 |
script (or ebuild (or Windows-specific version ) ), the vulnerability is |
18 |
claimed to reside in the distro scripts, or in the distro patch. So it's |
19 |
distro-specific. |
20 |
|
21 |
each linux distribution can not handle every other-distro-specific |
22 |
vulnerability. Gentoo has sometimes gentoo-specific vulnerabilities |
23 |
[1], and Debian too. Debian does not issue any statement that they are |
24 |
not affected by a Gentoo-specific vulnerability. No distro does that. |
25 |
And there would be a lot of other distributions to monitor [2]... That |
26 |
would really be a mess. |
27 |
|
28 |
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383 |
29 |
|
30 |
[2] |
31 |
http://distrowatch.com/dwres.php?resource=major |
32 |
http://distrowatch.com/dwres.php?resource=cd |
33 |
http://distrowatch.com/dwres.php?resource=firewalls |
34 |
|
35 |
|
36 |
http://www.debian.org/security/key-rollover/ |
37 |
"In Debian Security Advisory 1571, the Debian Security Team disclosed a |
38 |
weakness in the random number generator used by OpenSSL on Debian and its |
39 |
derivatives." |
40 |
|
41 |
http://lists.debian.org/debian-security-announce/2008/msg00152.html |
42 |
"Debian-specific: yes" |
43 |
|
44 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |
45 |
"OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based |
46 |
operating systems" |
47 |
|
48 |
If you are unsure about your provider advisory, go and see the original |
49 |
and official advisories (Debian, Mitre CVE) which are very clear. Then |
50 |
revoke your contract and change of provider :) |
51 |
|
52 |
Futhermore, a public RSA weak key (because being created by a vulnerable |
53 |
Debian openssl) that would have been uploaded to |
54 |
gentoo:~foo/.ssh/authorized_keys on a Gentoo system would make this |
55 |
Gentoo system vulnerable to a trivial remote compromise as soon as the |
56 |
attacker knows the "foo" user login. We can't simply say "be confident, |
57 |
you are safe because you are using Gentoo". That would be lying. It |
58 |
depends on your configuration and consequently that's the responsibility |
59 |
of the root. There are a lot of similar configuration or user-land |
60 |
risks, and that's not the purpose of the vulnerability monitoring that |
61 |
is provided by the GLSA process. |
62 |
|
63 |
By the way, the gentoo-security@g.o mailing list is obviously the |
64 |
right place to publicly inform that Gentoo openssl package is not |
65 |
vulnerable to CVE-2008-0166. Now that's done, thanks to Peter who |
66 |
firstly asked for it. |
67 |
|
68 |
|
69 |
cheers, |
70 |
-- |
71 |
Raphael Marichez aka Falco |
72 |
Gentoo Linux Security Team |