Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

[SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#1 Post by maxb »

The lead dev of GrapheneOS (praised by Snowden and Doresy) had some harsh things to say about the security of Linux and Debian in particular:

https://old.reddit.com/r/GrapheneOS/com ... d/ekzo6c0/
The Linux kernel is a security disaster, but so are the kernels in macOS / iOS and Windows, although they are moving towards changing. For example, iOS moved a lot of the network stack to userspace, among other things.

The userspace Linux desktop software stack is far worse relative to the others. Security and privacy are such low priorities. It's really a complete joke and it's hard to even choose where to start in terms of explaining how bad it is. There's almost a complete disregard for sandboxing / privilege separation / permission models, exploit mitigations, memory safe languages (lots of cultural obsession with using memory unsafe C everywhere), etc. and there isn't even much effort put into finding and fixing the bugs. Look at something like Debian where software versions are totally frozen and only a tiny subset of security fixes receiving CVEs are backported, the deployment of even the legacy exploit mitigations from 2 decades ago is terrible and work on systems integration level security features like verified boot, full system MAC policies, etc. is near non-existent. That's what passes as secure though when it's the opposite. When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.
Fair criticism, would you say?

Is it true that only a fraction of CVEs actually get fixed in Debian Stable? I always assumed that they all get fixed.

---
Edit:

I cross-posted this in LQ forums also, where someone pointed me to Debian's security tracker for Chromium, which as of this writing looks pretty bad (looks like ~100 vulnerabilities in Stable): https://security-tracker.debian.org/tra ... e/chromium
Using Firefox instead of Chromium is not a good solution either, as Firefox is not well-regarded by security researchers: https://madaidans-insecurities.github.i ... cher-views

I'm marking this as 'SOLVED' in light of this. While I'll continue to use Debian (no better alternative AFAICT), one should probably stay away from the browsers that come with it.

---
Edit2:
Saving the screenshot for context, in case the vulns situation changes. The vulns date back to 3 months ago, while Debian 11 was released 2 months ago. So they released it with open CVEs in Chromium, and left them there!

Image
Last edited by maxb on 2021-11-11 20:09, edited 4 times in total.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#2 Post by dilberts_left_nut »

AdrianTM wrote:There's no hacker in my grandma...

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#3 Post by Hallvor »

Debian is perhaps the most popular server OS and has a very serious security team. If only a tiny fraction of vulnerabilities were fixed, Debian servers would be hacked more than anything else.

Compare these two and see if you still agree with him:
https://www.cvedetails.com/product/36/D ... ndor_id=23
https://www.debian.org/security/2021/

From the original link:
FreeBSD also has a less secure kernel, malloc, etc. but at least it doesn't have nonsense like systemd greatly expanding attack surface written with tons of poorly written C code.
How does he even dare criticize a genius like Lennart Poettering. :lol:
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

cynwulf

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#4 Post by cynwulf »

It's a more or less fair criticism of Linux. I'm just not sold on "verified boot". In my view that's "pseudo security", and part of a corporate smoke and mirrors game from Microsoft, Apple, google, et al, to prevent/deter installation of alternative operating systems, on those platforms which are tied up with, usually secret, long standing OEM deals.

With regards to Debian, it's more of what really equates to a "what is the point of Debian" critique. That has come up in the past and will again.

"Stable" software, does not actually guarantee a bug free and secure OS. Unfixed bugs, which are addressed in newer versions can still persist in "stable" software. A good example is Linux LTS kernels which are maintained to serve enterprise and not really of much benefit to desktop hobbyist users. Over the years we have come across users fighting with some unsurmountable bug in the kernel version which releases with any given Debian stable release - only to find that it has been fixed in the latest stable kernel. I've had my fair share of problems with LTS kernels in Debian and in Slackware and have found a solution, 9 times out of 10, in moving to the stable kernel and seeing my problem resolve itself.

This is because the goal of LTS is not simply security, with that as the principal focus, but "stability" for deployment in enterprise, where predictability and uniformity is key and where some breakage relating to graphical desktops or some particular graphics hardware, where the impact can be predicted and managed, is much less relevant than a change introduced in the stable kernel which could bring a server farm to it's knees. If Debian stable (and by extension Ubuntu) cannot be deployed in enterprise, namely by some of those who fund the project via SPI, then it becomes a very large "hobby project" and not much else.

OpenBSD for example is a security focused OS, but with a 6 monthly release cycle and nothing like the the Linux, Red Hat, Ubuntu or Debian LTS support, it is in effect a research OS, rather than a production one.

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#5 Post by ticojohn »

Snowden and Dorsey? Gag me with a spoon.
I am not irrational, I'm just quantum probabilistic.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#6 Post by maxb »

dilberts_left_nut wrote: 2021-10-27 06:23 https://www.debian.org/security/

Have a look.
I looked at it, and also the security FAQ. I don't think they explicitly say that all MITRE CVE fixes that apply to "main" get backported. One side's implying (?) it's 100%. The other side's saying it's a "tiny subset". They can't both be right.

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#7 Post by ticojohn »

maxb wrote: 2021-10-27 19:07
dilberts_left_nut wrote: 2021-10-27 06:23 https://www.debian.org/security/

Have a look.
I looked at it, and also the security FAQ. I don't think they explicitly say that all MITRE CVE fixes that apply to "main" get backported. One side's implying (?) it's 100%. The other side's saying it's a "tiny subset". They can't both be right.
So I guess you would rather believe people that are interested solely in wealth and fame over people that are dedicated to bringing the best stable and secure OS to the world. Makes sense to me. :?
I am not irrational, I'm just quantum probabilistic.

User avatar
sunrat
Administrator
Administrator
Posts: 6382
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 115 times
Been thanked: 456 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#8 Post by sunrat »

Moved to "General Debian" as it is a discussion whereas it was originally posted in a support subforum.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#9 Post by Hallvor »

maxb wrote: 2021-10-27 19:07 I looked at it, and also the security FAQ. I don't think they explicitly say that all MITRE CVE fixes that apply to "main" get backported. One side's implying (?) it's 100%. The other side's saying it's a "tiny subset". They can't both be right.
I know this reply isn't for me, but I already gave you both the CVE-details and security announcements. If you are really interested in this, I think it is better if you do your own research by comparing them.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#10 Post by maxb »

Hallvor wrote: 2021-10-27 07:46 Compare these two and see if you still agree with him:
I didn't say I agreed with him. I'm just asking a question here.
These don't seem to show what percentage is fixed vs unfixed. You may find these links useful:

https://security-tracker.debian.org/tra ... kage/linux
https://security-tracker.debian.org/tra ... e/chromium # check out all of the red! Still, Micay argues you are much better off using Chrome.
https://security-tracker.debian.org/tra ... irefox-esr

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#11 Post by Hallvor »

maxb wrote: 2021-10-28 03:19 These don't seem to show what percentage is fixed vs unfixed.
Thanks for the links. If you already knew the answer, it makes me wonder why you asked in the first place.

Why don't you go over all the packages with CVEs the last year or so and calculate an average? Then we'll see if the claim that "only a tiny subset of security fixes receiving CVEs are backported" is true or false.

It seems that there is hostility between him and certain people in the GNU/Linux community. Maybe he has a point; I don't know. Or maybe it's personal.

https://twitter.com/DanielMicay/status/ ... 2230425602
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#12 Post by maxb »

Hallvor wrote: 2021-10-28 06:34 If you already knew the answer, it makes me wonder why you asked in the first place.
These links don't give you the answer to my original question: (1) the overall stats are unclear, (2) many/some CVEs are on MITRE, but not in Debian's tracker.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#13 Post by Hallvor »

maxb wrote: 2021-10-28 06:46 These links don't give you the answer to my original question: (1) the overall stats are unclear, (2) many/some CVEs are on MITRE, but not in Debian's tracker.
You are just muddying the waters here. The facts are simple:

1. He makes a sensational claim and offers nothing to back it up.
2. His Twitter account shows that he is a troubled individual with personal grievances towards "certain people" in the GNU/Linux community.
3. The statistics are more than good enough if you can be bothered to do a little homework and cross reference them. After all, you don't even need an exact answer with two decimals to refute a sweeping generalization like this one. A rough estimate will do just fine.

Another option is to send him an e-mail and ask him what he means. While you are at it, contact the Debian Security Team for a comment.

The least useful approach is asking questions here. This is a Debian user forum, and as far as I know, there are no security professionals here: You are asking the wrong people.

Good luck, and bye.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

User avatar
canci
Global Moderator
Global Moderator
Posts: 2497
Joined: 2006-09-24 11:28
Has thanked: 135 times
Been thanked: 134 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#14 Post by canci »

Hallvor, I don't think doing research and contacting Debian developers fits into the attention span of Reddit and Twitter users. It's more about the high one gets from sensationalist news rather than making a valid point.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#15 Post by ticojohn »

canci wrote: 2021-10-28 09:31 Hallvor, I don't think doing research and contacting Debian developers fits into the attention span of Reddit and Twitter users. It's more about the high one gets from sensationalist news rather than making a valid point.
Unfortunately sensationalism and immediate gratification have become the common mode of thinking (or non-thinking) for a huge percentage of the human population.
I am not irrational, I'm just quantum probabilistic.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#16 Post by maxb »

maxb wrote: 2021-10-27 19:07 One side's implying (?) it's 100%. The other side's saying it's a "tiny subset". They can't both be right.
... but they can both be wrong, which seems to be the case here.

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#17 Post by maxb »

canci wrote: 2021-10-28 09:31 Hallvor, I don't think doing research and contacting Debian developers
Are Debian users encouraged to post in developer forums or mailing lists when they have questions? I think not.

(To clarify: I'm a developer. My software is in Debian, even. But I'm not a Debian developer)
fits into the attention span of Reddit and Twitter users.
Feel superior to others just because you use phpBB instead of reddit? I hope that someday you'll have something else to be proud of.

User avatar
canci
Global Moderator
Global Moderator
Posts: 2497
Joined: 2006-09-24 11:28
Has thanked: 135 times
Been thanked: 134 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#18 Post by canci »

It's sadly been my experience that reddit, as any commercial GAFAM-like website, tends to favour sensationalism over thorough reporting or research. Don't take it personally. That's not to say that everything on reddit is shite, just as a lot of things on these forums might be shite, too. At least here though there's less of a likelihood that someone is trying to squeeze money out of the manure. And at least my adblocker doesn't have to work overtime to shield me from 10 000 companies just because I'm trying to read a few posts, so there's lots to feel superior about compared to reddit.
Image Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe

READ THIS:

* How to Post a Thread Here
* Other Tips and Great Resources

maxb
Posts: 52
Joined: 2021-10-19 05:26
Has thanked: 2 times
Been thanked: 2 times

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#19 Post by maxb »

Hallvor wrote: 2021-10-28 08:04 1. He makes a sensational claim and offers nothing to back it up.
I agree, but he's not a random kook. Have you built anything that has a Wikipedia page? Are you ranting on something that's in your area of expertise? If so, I'll pay attention even if you don't back up your claims.
2. His Twitter account shows that he is a troubled individual with personal grievances towards "certain people" in the GNU/Linux community.
I agree with this also, but I've seen this pattern many times. Some people care about shining light on some facts they are obsessed with more than they care about the social consequences of speaking out. If the security of Linux is as bad as he says, and he speaks about it, do you not think that "certain members" of the community will not react very negatively?
You are asking the wrong people.
OK, got it.

epp
Posts: 196
Joined: 2011-03-11 23:22
Has thanked: 1 time

Re: Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

#20 Post by epp »

I would say that fixing vulnerabilities seems to be rather slow. All one has to do is look at the current versions (as of today) of Firefox, Thunderbird (I believe both current versions are now at EOL?) and Chromium that are in the repositories.

Firefox 91.0esr was first made available back in August. I believe Debian should have made that version series available back then. Chromium is now on version 95. Version 90 is still in the repositories as of this moment.

Locked