| 1 |
On Sat, 17 May 2008, Byron wrote: |
| 2 |
|
| 3 |
> It's something of a "lesser of two evils" situation. In the absence of |
| 4 |
> evidence either way, the only habit that would be worse is assuming that |
| 5 |
> any distribution is not affected, simply because they do not publicly state |
| 6 |
> that they are. Having said that, it's good to know that apparently Gentoo |
| 7 |
> is not impacted. |
| 8 |
> |
| 9 |
|
| 10 |
Hi, |
| 11 |
|
| 12 |
- when a vulnerability has been found inside the package, the package is |
| 13 |
vulnerable, it's not claimed to be distro-specific, and by default you |
| 14 |
are right in assuming that every distro is affected. |
| 15 |
|
| 16 |
- when a vulnerability has been found in a *distro-specific* patch or |
| 17 |
script (or ebuild (or Windows-specific version ) ), the vulnerability is |
| 18 |
claimed to reside in the distro scripts, or in the distro patch. So it's |
| 19 |
distro-specific. |
| 20 |
|
| 21 |
each linux distribution can not handle every other-distro-specific |
| 22 |
vulnerability. Gentoo has sometimes gentoo-specific vulnerabilities |
| 23 |
[1], and Debian too. Debian does not issue any statement that they are |
| 24 |
not affected by a Gentoo-specific vulnerability. No distro does that. |
| 25 |
And there would be a lot of other distributions to monitor [2]... That |
| 26 |
would really be a mess. |
| 27 |
|
| 28 |
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1383 |
| 29 |
|
| 30 |
[2] |
| 31 |
http://distrowatch.com/dwres.php?resource=major |
| 32 |
http://distrowatch.com/dwres.php?resource=cd |
| 33 |
http://distrowatch.com/dwres.php?resource=firewalls |
| 34 |
|
| 35 |
|
| 36 |
http://www.debian.org/security/key-rollover/ |
| 37 |
"In Debian Security Advisory 1571, the Debian Security Team disclosed a |
| 38 |
weakness in the random number generator used by OpenSSL on Debian and its |
| 39 |
derivatives." |
| 40 |
|
| 41 |
http://lists.debian.org/debian-security-announce/2008/msg00152.html |
| 42 |
"Debian-specific: yes" |
| 43 |
|
| 44 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |
| 45 |
"OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based |
| 46 |
operating systems" |
| 47 |
|
| 48 |
If you are unsure about your provider advisory, go and see the original |
| 49 |
and official advisories (Debian, Mitre CVE) which are very clear. Then |
| 50 |
revoke your contract and change of provider :) |
| 51 |
|
| 52 |
Futhermore, a public RSA weak key (because being created by a vulnerable |
| 53 |
Debian openssl) that would have been uploaded to |
| 54 |
gentoo:~foo/.ssh/authorized_keys on a Gentoo system would make this |
| 55 |
Gentoo system vulnerable to a trivial remote compromise as soon as the |
| 56 |
attacker knows the "foo" user login. We can't simply say "be confident, |
| 57 |
you are safe because you are using Gentoo". That would be lying. It |
| 58 |
depends on your configuration and consequently that's the responsibility |
| 59 |
of the root. There are a lot of similar configuration or user-land |
| 60 |
risks, and that's not the purpose of the vulnerability monitoring that |
| 61 |
is provided by the GLSA process. |
| 62 |
|
| 63 |
By the way, the gentoo-security@g.o mailing list is obviously the |
| 64 |
right place to publicly inform that Gentoo openssl package is not |
| 65 |
vulnerable to CVE-2008-0166. Now that's done, thanks to Peter who |
| 66 |
firstly asked for it. |
| 67 |
|
| 68 |
|
| 69 |
cheers, |
| 70 |
-- |
| 71 |
Raphael Marichez aka Falco |
| 72 |
Gentoo Linux Security Team |
Archives