Everything out of date High Security risk = linux mint?

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
emorrp1

Re: Everything out of date High Security risk = linux mint?

Post by emorrp1 »

Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
DrHu

Re: Everything out of date High Security risk = linux mint?

Post by DrHu »

RobinV wrote:I have now, however it doesn't really answer why the Security should be comprised in my eyes. There is a Stable Package, lets take Pidgin. However some Researcher found a Boundary Flaw.
it doesn't really answer why the Security should be comprised in my eyes.
Maybe the distributor of the OS feels differently, maybe other users feel differently; so why insert patches to fix a potential problem that may not exist for everybody under their system design (constraints); or under the default installation of the OS..

First question about any of these security alerts,
  • Is it a remote exploit
    --one than can come in via a web browser
  • Is it a local exploit
    --you can control your own users; and if absolutely necessary patch the system to plug the problem
If it's an application, same means test; is it a remote exploit, is it in the wild or is it only a laboratory experiment of a potential threat
--unless an exploit is actually a series threat to the kernel (for example), then application security and other local exploits can be mostly ignored, without security being compromised
emorrp1

Re: Everything out of date High Security risk = linux mint?

Post by emorrp1 »

Security could be thought of as a subset of "features", hence it is caught up in the eternal feature vs. stability compromises (more on that here: http://forums.linuxmint.com/viewtopic.php?f=61&t=17101 ) It's also largely the responsibility of the app developer/maintainer - they have to release a security bug-fix update in order for it to be distributed to all users. In the case you mention, I bet it's one of the following situations:
1) The vulnerability is unknown, or known but unpatched
2) The vulnerability is known, but has only been patched in their newer main version, which introduces its own instability issues
3) The vulnerability is known, and has been patched in a bugfix to the version Mint uses, but it hasn't made it through the stability checks yet
In the case of (1) feel free to try to create a patch if you can, and/or disable the app in the meantime.
In the tricky case of (2), you could try to backport the patch yourself, or you could compromise on stability in favour of security and install the newer version.
In the case of (3), you could try to incorporate the patch yourself or you could just wait for it to make it through. If the app developer made a clean patch for the security issue, then it will pass the stability checks.

It's all about choice, in this case you obviously value security extremely highly. If enabling debian repos will solve your problem, then feel free, but be aware it will compromise your system's stability. Can you give an example of an unpatched security vulnerability in a Mint app, or is this just hypothetical?

EDIT: I see you've replied - how old is old?
monkeyboy

Re: Everything out of date High Security risk = linux mint?

Post by monkeyboy »

RobinV wrote:Hello all,

I really really like Linux Mint, however I noticed that all the default repos have HIGHLY out of date Software.
Is there a way to fix this? Or is Linux Mint by default the most insecure Linux I've ever seen?
I mean, don't take me wrong.. I really enjoy the Mint thing, Its my favorite linux. I often tell my friends to get it as I see it as Lightweight Ubuntu (and yes I HATE ubuntu).

But yes, the old software is such a bummer for me.. (as I am Employed as a Security Researcher ;))
So, is there an a way to get better repos? Or will I have to compile the packages myself and put them in apt-get by hand?

Cheers,
Robin
If you cite specific programs you are concerned about folks will be able to better address you problems. Good Luck
emorrp1

Re: Everything out of date High Security risk = linux mint?

Post by emorrp1 »

Ahh, thanks for providing the precise security issue you're talking about, I learnt something new today thanks to that. It seems that (2) above has an alternate resolution: Ubuntu backport the patch to the current supported release, and this is what's happened in the case of pidgin. The short story is that you're safe to use ubuntu's version of pidgin: 2.5.5-1ubuntu8.4.

I first checked here: http://packages.ubuntu.com/search?suite ... rds=pidgin and noticed that the latest version had [security] marked next to it. This led me to http://changelogs.ubuntu.com/changelogs ... /changelog which states that the security issue you mention has been fixed in ubuntu's version. I then wondered how quick this process was, according to http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2694 this was known (privately) by at least 5th August and pidgin devs fixed the issue on 14th Aug ( http://developer.pidgin.im/viewmtn/revi ... 33c1d54a0e ) and made an announcement (with the 2.5.9 release) on 18th August - http://www.pidgin.im/news/security/?id=34 A related Ubuntu bug ( https://bugs.launchpad.net/ubuntu/+sour ... bug/415863 ) was filed on 19th August and the fix was released at 08:49 UTC that same day, which is likely less than 24 (or probably even 12) hours after the security announcement.

All in all, I feel pretty safe in Mint, and am pleased that the actual security response is much better than I expected.
EDIT: I see you've posted since I pressed reply, I hope the other apps you mention have a similar resolution to pidgin (e.g. firefox 3.0.14 is available in mint). I do value security as the highest of features, and would even risk some stability for it, but I wouldn't risk everything just to fix something I'm unlikely to come across, especially now I know how rapid the response is, and how it works.
emorrp1

Re: Everything out of date High Security risk = linux mint?

Post by emorrp1 »

RobinV wrote:Firefox 3.0.14 has a couple of Drive-By-Download problems..
not sure what you mean: if it's a problem with using the app itself, then getting the debian repos won't help. If it's a problem with downloading the update from their website, you don't have to worry about that with linux's repo system of updates distribution. If you mean 3.5's improved anti-phishing methods you can install it on Mint, (but see also http://forums.linuxmint.com/viewtopic.php?f=47&t=32670 ) If you're paranoid enough to want to live with a Mint-->Debian system, fair enough, I assume you know the consequences, just don't come asking questions when something breaks, you're accepting responsibility for fixing that yourself now.
Last edited by emorrp1 on Mon Sep 14, 2009 3:47 pm, edited 1 time in total.
altair4
Level 20
Level 20
Posts: 11419
Joined: Tue Feb 03, 2009 10:27 am

Re: Everything out of date High Security risk = linux mint?

Post by altair4 »

I should write a little script that checks Milw0rm and sites like that and compares it to the current install version of that software.. If people are intrested in something like that..
milw0rm (also called milwOrm) is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Mumbai, the primary nuclear research facility of India, on June 3, 1998. The group conducted hacks for political reasons,[1] including the largest mass hack up to that time, inserting an anti-nuclear weapons agenda and peace message on its hacked websites.[2][3] The group's logo featured the slogan "Putting the power back in the hands of the people."[4]
I think I'll pass
Please add a [SOLVED] at the end of your original subject header if your question has been answered and solved.
emorrp1

Re: Everything out of date High Security risk = linux mint?

Post by emorrp1 »

Well I still don't understand why you're still complaining about security when I've shown that it's a matter of hours, days at most until Mint gets the latest security updates. I don't "value stability over security", as with all things there is a balance to be maintained, and Mint is a very good attempt at striking that balance, with security vulnerabilities being rapidly fixed. It's impossible for one person to do any better on their own, you'll have the same issues whether you're using Mint, gentoo or arch, since you're still dependent on how quickly the distro makers can make a new release available (whether that's packaged or source).
DrHu

Re: Everything out of date High Security risk = linux mint?

Post by DrHu »

RobinV wrote:Well I run Pidgin 2.5.5 Latest in the Repos.
When I only enter Pidgin Exploit I find http://www.milw0rm.com/exploits/9615 2.58 and lower exploit. First Google Hit ;)
Well OK, but how series is that Pidgin..

http://www.vupen.com/english/advisories/2009/2551
  • Affected Products Pidgin versions prior to 2.6.2
  • Multiple vulnerabilities have been identified in Pidgin, which could be exploited by attackers to cause a denial of service. These issues are caused by errors when processing XMPP, MSN or IRC TOPIC messages or data, which could be exploited to crash an affected application, creating a denial of service condition.
RobinV wrote:I should write a little script that checks Milw0rm and sites like that and compares it to the current install version of that software.. If people are intrested in something like that.
The Millworm site has the same note for 2.5.5, so it is a bit out of date..
http://www.milw0rm.com/
http://www.h-online.com/security/Milw0r ... ews/113722
  • One of the largest exploit portals on the internet, milw0rm.com, has ceased to operate. Only a few lines in the page headers announce the portal's closure. The operator, who goes by the handle 'str0ke', explains that it has become impossible to review and release submitted exploits within an adequate time frame:
http://www.elitehackers.info/forums/sho ... hp?p=86603
OK, it's up again, so what!
Kaye

Re: Everything out of date High Security risk = linux mint?

Post by Kaye »

emorrp1 wrote:Well I still don't understand why you're still complaining about security when I've shown that it's a matter of hours, days at most until Mint gets the latest security updates. I don't "value stability over security", as with all things there is a balance to be maintained, and Mint is a very good attempt at striking that balance, with security vulnerabilities being rapidly fixed. It's impossible for one person to do any better on their own, you'll have the same issues whether you're using Mint, gentoo or arch, since you're still dependent on how quickly the distro makers can make a new release available (whether that's packaged or source).
Agreed. I think you're confusing patches with updates (which seems strange to me considering you work in security..)
Locked

Return to “Software & Applications”