LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-28-2005, 03:00 PM   #1
RobF
LQ Newbie
 
Registered: Aug 2004
Posts: 20

Rep: Reputation: 0
Security updates for Linux distros


I'm puzzled by the policy of Xandros regarding security updates for their Desktop OS, and I'm wondering how this matter is handled by other Linux distros.

Xandros issued the last security update for their Desktop OS v.2.0.1 (a "general security update") nine months ago. Since then Debian, on which Xandros is based, has released 179 security advisories (DSA-535 to DSA-714). This includes the following packages most of which are commonly used system programs (they are part of the default install of Xandros Desktop). The numbers in brackets are the DSA numbers (DSA = Debian Security Advisory).

libpng (*536), kdelibs (539), qt (*542), gtk+ (*549), imlib (*548), imlib2 (*549), xfree86 (561), sox (*565), libpng (*570), iptables (580), gzip (588), openssl (603), xfree86 (*607), htget (*611), imlib (*618), cupsys (*621), zip (*624), imlib2 (*628), exim (*635), glibc (*636), cupsys (*645), xine-lib (*657), kdelibs (*714)

The flagged packages (*) appear to have fairly serious security vulnerabilities, vulnerabilities that according to Debian "may be utilised by an attacker to execute arbitrary code on the victim's machine". In most cases, the DSA states "We recommend that you upgrade your xxxxx package", in a few cases it adds "immediately" (e.g. DSA-607 xfree86 xlibs package).

These packages are part of the base install of practically every Linux distribution. What has been the action of the vendor/developer of your distribution with regard to these vulnerabilities (did they post alerts and fixes?) and what did you as the user decide to do about them?

Can one simply shrug off these alerts as being inconsequential for a desktop machine configured in a standard way (see below), as it seems Xandros has done, or is there cause for concern and action?

Debian has supplied fixes for all of these for the woody distribution. Fixes are also available for many of them for the sid distribution or else, as Debian states, "the problem will be fixed soon". Strangely, for the sarge versions of these packages no patches appear to be available.

I'm running Xandros 2.0.1 as a desktop OS; no servers are enabled. I have a broadband connection to the Internet (computer > NAT router > cable modem > ISP). An iptables firewall (configured with Firestarter 0.92) is installed on my system, with Firestarter's default settings (DHCP, access to all services disabled, ToS filtering and ICMP filtering disabled); the firewall is enabled at bootup.

Should I be concerned about the absence of security updates coming from Xandros?

Thanks for your help.

Robert

Last edited by RobF; 04-28-2005 at 03:05 PM.
 
Old 04-28-2005, 03:20 PM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
Xandros is supposedly a clone of debian stable, potato, and doesn't have as many updates due to that. Also, Xandros doesn't have development tools and many of the apps running that potato does so there isn't much to update. You'll notice the install is quite fast, and there is a reason for that. There ain't much there.

It's more of a comfort OS, where people can be windows weenies without windows. Office, email, AIM/AOL, and other click me stuff that makes gerbils get antsy around you- all to make you feel at home. It's a good OS for recent converts, but going beyond the cloud of http program installs put's you outside of Xandros's support. They only support their programs included on the CD- nothing more.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Updates jakebhoy Mandriva 2 09-04-2005 06:41 PM
Ubuntu Updates have stopped all Linux distros installing or working properly! HELP!! blastradius Linux - Hardware 2 07-06-2005 03:35 PM
linux security updates kjs Linux - Software 1 05-04-2005 12:56 PM
only security updates rafc Debian 2 06-26-2004 12:27 PM
Security Updates AZDAVE Linux - Security 2 06-03-2004 02:16 PM


All times are GMT -5. The time now is 04:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration