Everything out of date High Security risk = linux mint?

[RobinV]

Hello all,

I really really like Linux Mint, however I noticed that all the default repos have HIGHLY out of date Software.
Is there a way to fix this? Or is Linux Mint by default the most insecure Linux I've ever seen?
I mean, don't take me wrong.. I really enjoy the Mint thing, Its my favorite linux. I often tell my friends to get it as I see it as Lightweight Ubuntu (and yes I HATE ubuntu).

But yes, the old software is such a bummer for me.. (as I am Employed as a Security Researcher )
So, is there an a way to get better repos? Or will I have to compile the packages myself and put them in apt-get by hand?

Cheers,
Robin

[emorrp1]

have you read http://forums.linuxmint.com/viewtopic.php?f=47&t=31954 ?

[RobinV]

I have now, however it doesn't really answer why the Security should be comprised in my eyes.
There is a Stable Package, lets take Pidgin. However some Researcher found a Boundary Flaw.
This issue was well lets say the standard if (==) || (<=) Issue.
It gets fixed, and there is no update as its not redeemed to be 'stable'

What if Id add Debians Repos? is that accepted or do you think it would break things?

Thanks for the Response. However I agree with not putting unstable packages there.
I do strongly-disapprove on leaving leaks hanging around.

[DrHu]

I have now, however it doesn't really answer why the Security should be comprised in my eyes. There is a Stable Package, lets take Pidgin. However some Researcher found a Boundary Flaw.

it doesn't really answer why the Security should be comprised in my eyes.
Maybe the distributor of the OS feels differently, maybe other users feel differently; so why insert patches to fix a potential problem that may not exist for everybody under their system design (constraints); or under the default installation of the OS..

First question about any of these security alerts,

• Is it a remote exploit
  --one than can come in via a web browser
• Is it a local exploit
  --you can control your own users; and if absolutely necessary patch the system to plug the problem

If it's an application, same means test; is it a remote exploit, is it in the wild or is it only a laboratory experiment of a potential threat
--unless an exploit is actually a series threat to the kernel (for example), then application security and other local exploits can be mostly ignored, without security being compromised

[RobinV]

I know how the exploit world works.
I used this issue since its in old versions of Pidgin its remote and its NOT patched in LinuxMint.

But alright I see that the linuxMint way is to just use the old packages and that every package has its long way before getting into repo. ?

[emorrp1]

Security could be thought of as a subset of "features", hence it is caught up in the eternal feature vs. stability compromises (more on that here: http://forums.linuxmint.com/viewtopic.php?f=61&t=17101 ) It's also largely the responsibility of the app developer/maintainer - they have to release a security bug-fix update in order for it to be distributed to all users. In the case you mention, I bet it's one of the following situations:
1) The vulnerability is unknown, or known but unpatched
2) The vulnerability is known, but has only been patched in their newer main version, which introduces its own instability issues
3) The vulnerability is known, and has been patched in a bugfix to the version Mint uses, but it hasn't made it through the stability checks yet
In the case of (1) feel free to try to create a patch if you can, and/or disable the app in the meantime.
In the tricky case of (2), you could try to backport the patch yourself, or you could compromise on stability in favour of security and install the newer version.
In the case of (3), you could try to incorporate the patch yourself or you could just wait for it to make it through. If the app developer made a clean patch for the security issue, then it will pass the stability checks.

It's all about choice, in this case you obviously value security extremely highly. If enabling debian repos will solve your problem, then feel free, but be aware it will compromise your system's stability. Can you give an example of an unpatched security vulnerability in a Mint app, or is this just hypothetical?

EDIT: I see you've replied - how old is old?

[RobinV]

Well I run Pidgin 2.5.5 Latest in the Repos.
When I only enter Pidgin Exploit I find http://www.milw0rm.com/exploits/9615 2.58 and lower exploit. First Google Hit

There are way more. However I decided to load the Debian Repos. And well I can understand the choice. However maybe something that has to do with security should be added to Linux Mint.

Kind Regards,

Robin

[monkeyboy]

Hello all,

I really really like Linux Mint, however I noticed that all the default repos have HIGHLY out of date Software.
Is there a way to fix this? Or is Linux Mint by default the most insecure Linux I've ever seen?
I mean, don't take me wrong.. I really enjoy the Mint thing, Its my favorite linux. I often tell my friends to get it as I see it as Lightweight Ubuntu (and yes I HATE ubuntu).

But yes, the old software is such a bummer for me.. (as I am Employed as a Security Researcher )
So, is there an a way to get better repos? Or will I have to compile the packages myself and put them in apt-get by hand?

Cheers,
Robin

If you cite specific programs you are concerned about folks will be able to better address you problems. Good Luck

[RobinV]

I am currently updating it all with Debian Repos.. yes 1356 packages to update.
The apps I was most scared of included but are not limited to: OpenSSL, OpenSSH, Pidgin, Firefox and Wine.
I will still run mint however I am getting closer to its Debian roots.
I see how the mint People think, and I can understand that you prefer Stability over Security.
But yea working on some security systems on a insecure system is kinda well odd.. heh Ill give away some stability for security.

In 28 Minutes we'll see if my system will be able of a Reboot..

Cheers,
Robin

[emorrp1]

Ahh, thanks for providing the precise security issue you're talking about, I learnt something new today thanks to that. It seems that (2) above has an alternate resolution: Ubuntu backport the patch to the current supported release, and this is what's happened in the case of pidgin. The short story is that you're safe to use ubuntu's version of pidgin: 2.5.5-1ubuntu8.4.

I first checked here: http://packages.ubuntu.com/search?suite ... rds=pidgin and noticed that the latest version had [security] marked next to it. This led me to http://changelogs.ubuntu.com/changelogs ... /changelog which states that the security issue you mention has been fixed in ubuntu's version. I then wondered how quick this process was, according to http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-2694 this was known (privately) by at least 5th August and pidgin devs fixed the issue on 14th Aug ( http://developer.pidgin.im/viewmtn/revi ... 33c1d54a0e ) and made an announcement (with the 2.5.9 release) on 18th August - http://www.pidgin.im/news/security/?id=34 A related Ubuntu bug ( https://bugs.launchpad.net/ubuntu/+sour ... bug/415863 ) was filed on 19th August and the fix was released at 08:49 UTC that same day, which is likely less than 24 (or probably even 12) hours after the security announcement.

All in all, I feel pretty safe in Mint, and am pleased that the actual security response is much better than I expected.
EDIT: I see you've posted since I pressed reply, I hope the other apps you mention have a similar resolution to pidgin (e.g. firefox 3.0.14 is available in mint). I do value security as the highest of features, and would even risk some stability for it, but I wouldn't risk everything just to fix something I'm unlikely to come across, especially now I know how rapid the response is, and how it works.

[RobinV]

Firefox 3.0.14 has a couple of Drive-By-Download problems.. :/

I think its alright for the average user.
However, be being paranoid and not a average user (yes I go to Malicious sites on purpose) its just not secure enough for me

I should write a little script that checks Milw0rm and sites like that and compares it to the current install version of that software.. If people are intrested in something like that..

[emorrp1]

Firefox 3.0.14 has a couple of Drive-By-Download problems..

not sure what you mean: if it's a problem with using the app itself, then getting the debian repos won't help. If it's a problem with downloading the update from their website, you don't have to worry about that with linux's repo system of updates distribution. If you mean 3.5's improved anti-phishing methods you can install it on Mint, (but see also http://forums.linuxmint.com/viewtopic.php?f=47&t=32670 ) If you're paranoid enough to want to live with a Mint-->Debian system, fair enough, I assume you know the consequences, just don't come asking questions when something breaks, you're accepting responsibility for fixing that yourself now.

[altair4]

I should write a little script that checks Milw0rm and sites like that and compares it to the current install version of that software.. If people are intrested in something like that..

milw0rm (also called milwOrm) is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Mumbai, the primary nuclear research facility of India, on June 3, 1998. The group conducted hacks for political reasons,[1] including the largest mass hack up to that time, inserting an anti-nuclear weapons agenda and peace message on its hacked websites.[2][3] The group's logo featured the slogan "Putting the power back in the hands of the people."[4]

I think I'll pass

[RobinV]

What are you scared for Milw0rm?
heh, I can't blame you tbh.

But yea, anyway I tried.. My system failed.. (I havnt got sound anymore)
Can't be asked to fix it, reinstall
Tried it it failed recommended action.. If you value stability over security linuxMint is right. If you are paranoid its not.

Thanks for linuxMint Ill keep recommending it, however I am going to Gentoo or Arch.. I havnt picked yet.

Cheers,
Robin

[emorrp1]

Well I still don't understand why you're still complaining about security when I've shown that it's a matter of hours, days at most until Mint gets the latest security updates. I don't "value stability over security", as with all things there is a balance to be maintained, and Mint is a very good attempt at striking that balance, with security vulnerabilities being rapidly fixed. It's impossible for one person to do any better on their own, you'll have the same issues whether you're using Mint, gentoo or arch, since you're still dependent on how quickly the distro makers can make a new release available (whether that's packaged or source).

[DrHu]

Well I run Pidgin 2.5.5 Latest in the Repos.
When I only enter Pidgin Exploit I find http://www.milw0rm.com/exploits/9615 2.58 and lower exploit. First Google Hit ;)

Well OK, but how series is that Pidgin..

http://www.vupen.com/english/advisories/2009/2551

• Affected Products Pidgin versions prior to 2.6.2

• Multiple vulnerabilities have been identified in Pidgin, which could be exploited by attackers to cause a denial of service. These issues are caused by errors when processing XMPP, MSN or IRC TOPIC messages or data, which could be exploited to crash an affected application, creating a denial of service condition.

I should write a little script that checks Milw0rm and sites like that and compares it to the current install version of that software.. If people are intrested in something like that.

The Millworm site has the same note for 2.5.5, so it is a bit out of date..
http://www.milw0rm.com/
http://www.h-online.com/security/Milw0r ... ews/113722

• One of the largest exploit portals on the internet, milw0rm.com, has ceased to operate. Only a few lines in the page headers announce the portal's closure. The operator, who goes by the handle 'str0ke', explains that it has become impossible to review and release submitted exploits within an adequate time frame:

http://www.elitehackers.info/forums/sho ... hp?p=86603
OK, it's up again, so what!

[Kaye]

Well I still don't understand why you're still complaining about security when I've shown that it's a matter of hours, days at most until Mint gets the latest security updates. I don't "value stability over security", as with all things there is a balance to be maintained, and Mint is a very good attempt at striking that balance, with security vulnerabilities being rapidly fixed. It's impossible for one person to do any better on their own, you'll have the same issues whether you're using Mint, gentoo or arch, since you're still dependent on how quickly the distro makers can make a new release available (whether that's packaged or source).

Agreed. I think you're confusing patches with updates (which seems strange to me considering you work in security..)