Accueil > Bugzilla, Mozilla > Debian takes security very seriously… but how?

Debian takes security very seriously… but how?

On http://www.debian.org/security/, I can read:

"Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe."

By default, there is no reason to not believe them. But while talking with the administrator of Samba Bugzilla in bug 7121, I realized this was far from being true! What follows is specific to the Bugzilla case, but I guess there are plenty of other similar examples for other Debian packages.

This security report set the urgency to "High", and despite the corresponding bug report has been reported to Debian more than a month ago asking the maintainer of the Bugzilla package to release new versions, nothing has been done so far. Even Secunia marked this security issue as "moderately critical", which is the third level out of five. And I myself emailed the Bugzilla package maintainer at Debian a few days ago, but got no response so far.

So my question is this: how can Debian honestly argue that they take security very seriously? It looks like it takes ages to get something done, which is usually not a big deal when talking about new features, but is definitely a problem when talking about security.

I wanted to know if there were other older unpatched security bugs relative to Bugzilla packages, and I’m a bit irritated to see that there are many! Some of them are two years old! Yes, very seriously!

Bugzilla developers at Mozilla are in no way in charge to maintain these packages, neither for Debian, nor Fedora, nor Mandriva nor any other Linux distro, so we have no control at all on that. And people often come on IRC asking us for help, because their Bugzilla package provided with their Linux distro is broken or behaves in a weird way (typically a broken configuration or customization). And guess what? Most of the time, they use the Debian package. Yes, very seriously! For comparison, Fedora updated their Bugzilla packages the day after we released 3.6.4, and Mandriva the week after! It looks like they take security a bit more seriously.

About these ads
Catégories:Bugzilla, Mozilla
  1. 4 mars 2011 à 9:59  

    Is this a problem that affects all packages, or are you just focusing on Bugzilla. I think it’s unfair to say "Debian" doesn’t care when it may primarily be a problem with the bugzilla package / maintainer.

  2. 4 mars 2011 à 10:00  

    Sigh, that was meant to be a question. Please pretend there’s a ? after the first sentence…

  3. Frédéric Buclin
    4 mars 2011 à 11:27  

    Many packages are concerned, yes. See e.g.

    http://security-tracker.debian.org/tracker/status/release/stable

  4. Michael Gilbert
    5 mars 2011 à 8:04  

    I have to say that I mostly agree with what you say. This is a fundamental problem with a volunteer organization. If the maintainer doesn’t care about security, then issues aren’t going to get fixed. This unfortunately is the status quo with some very prominent packages: samba, pam. I used to spend effort reporting and fixing bugs on those packages but gave up after one too many hot-headed response from the maintainers.

    Then again, some maintainers are very responsive: kfreebsd, eglibc. The problem will remain how to get volunteers to care about security.

    • 10 mars 2011 à 8:47  

      Michael, saying that PAM and Samba maintainers don’t care about security is FUD. Those packages are actively maintained (unlike bugzilla apparently).

      Frédéric, did you contact the bugzilla maintainer to ask him what’s up with the security issues? That’s the best way to go forward… a blog post is rarely as effective. And if the maintainer doesn’t react, then get in touch with team@security.debian.org directly. They can do security updates even if the maintainer is unresponsive.

      • Frédéric Buclin
        10 mars 2011 à 8:22  

        Yes, I did. I emailed him and a release coordinator at Debian 3 days before writing this article on my blog. And I got a reply from the release coordinator 2 days ago, where he admitted that the maintainer didn’t reply to the bug report about the security issues in Bugzilla, and that we was going to get in touch with the security team himself.

  5. TheGZeus
    5 mars 2011 à 10:30  

    Is there a fix available?
    They might be trying to work out if they can get it patched or if they must upgrade to a new version.
    If they have to upgrade, it might affect other packages.
    This is _stable_ we’re talking about…

    • Frédéric Buclin
      6 mars 2011 à 4:37  

      Patches are available, yes. The security advisories contain links to them.

  6. Jubal
    10 mars 2011 à 3:42  

    “I’m not writing needlessly alarmist headlines … but how?”

  7. Dmitry
    21 mars 2011 à 3:25  

    Lifetime of one Bugzilla release is about 2 years, while Debian developers have to maintain any package for 4-5 years since the date of its release (typically, a new version is included about one year before a stable Debian release, then 2 years while the next stable version is developed and then at least one more year after the next stable release).

    When Debian developers cannot rely on the upstream to provide all security fixes, they have to to find and back port all security fixes, but it rarely works well in practice if there are many security fixes.

    The alternative is upgrading packages to the version supported by the upstream, but that would undermine stability of Debian. So, there is no good solution here
    other than for Debian developers to work together with the upstream to prolong lifetime of some releases to 4-5 years…

  8. 25 septembre 2011 à 6:40  

    I’m can just agree, unfortunately.
    I’m just setting up Bugzilla 3.6.2 (the current stable version in Debian squeeze) on a test server. At the same time http://www.bugzilla.org have released patches and new versions to address several vulnerabilities. This without affecting stability (just chose your version upgrade).

    http://www.bugzilla.org/security/3.4.11/

    This was published Aug. 4, not it’s Sept 25. Look like I have to down load and patch it to 3.6.6.

  1. No trackbacks yet.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s

Suivre

Recevez les nouvelles publications par mail.