Here's a post from Wilders Security forums where Summerheat says that many security flaws in Universe in Ubuntu may not be fixed fixed whereas in Debian they all are fixed.
https://www.wilderssecurity.com/threads ... rt.385386/An article on heise.de reminds again of the fact that this LTS support only applies to the main repository (with about 7.300 packages in 16.04), not to universe (with about 45.500 packages) . This is critical as many packages therein are no longer maintained and can therefore be affected by security holes.
[Examples]
The thing is that those vulnerabilities are all fixed in Debian as all provided packages are maintained and security fixes are backported.
Here's a post by Thomas Ward on AskUbuntu saying that the situation in Ubuntu is much the same as in Debian. He says that the more popular packages in Universe are likely to have security flaws fixed.
https://askubuntu.com/questions/618727/ ... ame-packagEven in Debian, there are many many packages that don't get regular security updates.
...
While you are not guaranteed any updates for these packages, a lot of the popular ones will have enough attention to usually have someone working to try and patch security issues.
Here;s a post by ian-weisser saying that many less than popular packages do not get security fixes in Ubuntu Universe.
https://ubuntuforums.org/showthread.php ... st14151474Universe packages are supposed to be provided by the community, but few volunteers do it, so generally they were not happening for many less-popular packages.
Then there's the Debian documentation which seems to indicate that indeed, if a security flaw is reported to the security team then it does get fixed.
https://www.debian.org/security/faq#handlingOnce the security team receives a notification of an incident, one or more members review it and consider its impact on the stable release of Debian (i.e. if it's vulnerable or not). If our system is vulnerable, we work on a fix for the problem.
https://www.debian.org/doc/manuals/secu ... n-sec-team
The documentation claims that most security flaws are fixed by any distribution. In section 12.1.1.1 they say
But there are too many packages to audit for security flaws. But many people are using stable packages so most will get uncovered. In section 12.1.1.8 they sayKnown security updates are rarely, if ever, left unfixed by a distribution vendor.
https://www.debian.org/doc/manuals/secu ... 12.en.htmlThe Debian security team cannot possibly analyze all the packages included in Debian for potential security vulnerabilities, since there are just not enough resources to source code audit the whole project.
...
However, Debian users can take confidence in the fact that the stable code has a wide audience and most problems would be uncovered through use.
Can anyone add any insight to this? Are most security flaws in Debian getting fixed or not?
