Re: Security patches: who's got it right, Slackware or Debian
From: GP (gilpel_at_inverse.nretla.org)
Date: 02/03/05
- Next message: joe: "Won't Install Anything"
- Previous message: mjt: "Re: Linux distributions"
- In reply to: Dave Uhring: "Re: Security patches: who's got it right, Slackware or Debian"
- Next in thread: GP: "Re: Security patches: who's got it right, Slackware or Debian"
- Reply: GP: "Re: Security patches: who's got it right, Slackware or Debian"
- Reply: Dave Uhring: "Re: Security patches: who's got it right, Slackware or Debian"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 02 Feb 2005 20:25:50 -0500
Dave Uhring wrote:
> On Wed, 02 Feb 2005 19:36:18 -0500, GP wrote:
>
>
>>Section Security Advisories is not maintained anymore on Slack's site, but
>>there are 3 security fixes in the changelog since the beginning of the year.
>
>
> There are *no* patches for Slackware-10.0 since 01 Nov 2004.
>
> ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/
Those patches are not all for security. Securuty patches, or fixes, are here:
http://www.slackware.com/security/list.php?l=slackware-security&y=2004
And that's for current too.
But I wrote: «in the changelog since the beginning of the year». Which
changelog has been maintained since the beginning of the year? Unstable!
Of course, those security fixes apply to packages which are more up to date
than Debian's. Maybe this is what explains the discrepancy.
So let's compare Slackware and Debian for a period where Slackware stable was
still maintained. Here are the security patches for September and October:
2004-10-25 - [slackware-security] apache, mod_ssl, php (SSA:2004-299-01)
2004-10-22 - [slackware-security] gaim (SSA:2004-296-01)
2004-10-12 - [slackware-security] rsync (SSA:2004-285-01)
2004-10-04 - [slackware-security] zlib DoS (SSA:2004-278-02)
2004-10-04 - [slackware-security] getmail (SSA:2004-278-01)
2004-09-22 - [slackware-security] CUPS DoS (SSA:2004-266-01)
2004-09-22 - [slackware-security] Mozilla (SSA:2004-266-03)
2004-09-22 - [slackware-security] GTK+ image loading flaws (SSA:2004-266-02)
2004-09-22 - [slackware-security] xine-lib (SSA:2004-266-04)
2004-09-13 - [slackware-security] samba DoS (SSA:2004-257-01)
2004-09-03 - [slackware-security] kde (SSA:2004-247-01)
http://www.slackware.com/security/list.php?l=slackware-security&y=2004
Now here are Debian's :
[29 Nov 2004] DSA-602 libgd2 - integer overflow
[29 Nov 2004] DSA-601 libgd - integer overflow
[07 Oct 2004] DSA-600 samba - arbitrary file access
[25 Nov 2004] DSA-599 tetex-bin - integer overflows
[25 Nov 2004] DSA-598 yardradius - buffer overflow
[25 Nov 2004] DSA-597 cyrus-imapd - buffer overflow
[24 Nov 2004] DSA-596 sudo - missing input sanitising
[24 Nov 2004] DSA-595 bnc - buffer overflow
[17 Nov 2004] DSA-594 apache - buffer overflows
[16 Nov 2004] DSA-593 imagemagick - buffer overflow
[12 Nov 2004] DSA-592 ez-ipupdate - format string
[09 Nov 2004] DSA-591 libgd2 - integer overflows
[09 Nov 2004] DSA-590 gnats - format string vulnerability
[09 Nov 2004] DSA-589 libgd1 - integer overflows
[08 Nov 2004] DSA-588 gzip - insecure temporary files
[08 Nov 2004] DSA-587 freeamp - buffer overflow
[08 Nov 2004] DSA-586 ruby - infinite loop
[05 Nov 2004] DSA-585 shadow - programming error
[04 Nov 2004] DSA-584 dhcp - format string vulnerability
[03 Nov 2004] DSA-583 lvm10 - insecure temporary directory
[02 Nov 2004] DSA-582 libxml - buffer overflow
[02 Nov 2004] DSA-581 xpdf - integer overflows
[01 Nov 2004] DSA-580 iptables - missing initialisation
[01 Nov 2004] DSA-579 abiword - buffer overflow
[01 Nov 2004] DSA-578 mpg123 - buffer overflow
[29 Oct 2004] DSA-577 postgresql - insecure temporary file
[29 Oct 2004] DSA-576 squid - several vulnerabilities
[28 Oct 2004] DSA-575 catdoc - insecure temporary file
[28 Oct 2004] DSA-574 cabextract - missing directory sanitising
[21 Oct 2004] DSA-573 cupsys - integer overflows
[21 Oct 2004] DSA-572 ecartis - several vulnerabilities
[20 Oct 2004] DSA-571 libpng3 - buffer overflows, integer overflow
[20 Oct 2004] DSA-570 libpng - integer overflow
[18 Oct 2004] DSA-569 netkit-telnet-ssl - invalid free(3)
[16 Oct 2004] DSA-568 cyrus-sasl-mit - unsanitised input
[15 Oct 2004] DSA-567 tiff - heap overflows
[14 Oct 2004] DSA-566 cupsys - unsanitised input
[13 Oct 2004] DSA-565 sox - buffer overflow
[13 Oct 2004] DSA-564 mpg123 - missing user input sanitising
[14 Oct 2004] DSA-563 cyrus-sasl - unsanitised input
[11 Oct 2004] DSA-562 mysql - several vulnerabilities
[11 Oct 2004] DSA-561 xfree86 - integer and stack overflows
[07 Oct 2004] DSA-560 lesstif1-1 - integer and stack overflows
[06 Oct 2004] DSA-559 net-acct - insecure temporary file
[06 Oct 2004] DSA-558 libapache-mod-dav - null pointer dereference
[04 Oct 2004] DSA-557 rp-pppoe - missing privilege dropping
[18 Oct 2004] DSA-556 netkit-telnet - invalid free(3)
http://www.debian.org/security/2004/
So the discrepancy is not as wide, but Slackware still seems to be missing
quite a few.
GP
- Next message: joe: "Won't Install Anything"
- Previous message: mjt: "Re: Linux distributions"
- In reply to: Dave Uhring: "Re: Security patches: who's got it right, Slackware or Debian"
- Next in thread: GP: "Re: Security patches: who's got it right, Slackware or Debian"
- Reply: GP: "Re: Security patches: who's got it right, Slackware or Debian"
- Reply: Dave Uhring: "Re: Security patches: who's got it right, Slackware or Debian"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
