Navigation

Language Selection

Search

CVE patching is not making your Linux secure

Submitted by Roy Schestowitz on Tuesday 10th of December 2019 08:29:16 PM Filed under

Security

Would you like to enhance your Linux security? Do you wonder what factors should be considered when evaluating your open source security from both – the infrastructure and the application perspectives? Are you keen to learn the Ubuntu security team approach? I’ve learned that CVE patching is indeed an important puzzle, but without a structured approach, professional tools and well-defined processes in place, your Linux environment will not be secure.

What do Linux security experts say?

I got inspired by all these questions during the Open Source Security Summit, which was followed by the Linux Security Summit. I really enjoyed a week full of keynotes, workshops and meaningful conversations. So much so that, in my notebook, I noted down some really good quotes about the Linux security. For instance, Kelly Hammond from Intel opened her keynote by saying that “security is like doing the laundry or the dishes – it’s never done”.

Linux security is more complicated than fixing CVEs

Fixing CVEs is a continuous job that all Linux security teams focus on. In his keynote, Greg Kroah-Hartman from the Linux Foundation looked at this problem from the kernel perspective. In his exact words “CVEs mean nothing for the kernel” because very few CVEs are ever going to be assigned for the kernel. A stable Linux kernel receives 22-25 patches every day without any CVE process involved. So Greg’s position on the Linux security comes down to always using the latest stable kernel and not worrying about CVEs.

Also: Security updates for Tuesday

Login or register to post comments
Printer-friendly version
1761 reads
PDF version

More in Tux Machines

Games: ENCODYA, Stadia and More

Save the world in the dark sci-fi adventure ENCODYA out now

ENCODYA is an adventure that follows a little girl with a world-changing plan and her big clumsy robot, set in a dark and grey cyberpunk Neo-Berlin it's a pretty bleak future. Note: key provided by the publisher. You know what I always find interesting about games like this? We've gone from them being total fiction, to often mirroring exactly how things seem to be going. Alarming in many ways but thankfully due to the stories they tell, they can often bring a bit of needed escapism in troubling times. ENCODYA is exactly that. [...] Not many downsides to it overall, although I do think you already need to appreciate object hunting point and click adventures to enjoy it, even on "Easy" mode. SAM, your big robot friend, also needs to move out the damn way when you're doing something as it's often in the way and that does become a nuisance because SAM sticks out like a sore thumb often. For the Linux version, I've got absolutely no complaints and the performance was fantastic. So on a technical point, it was really great. If you enjoy good looking point and click puzzlers, especially if they make you scratch your head along with an interesting story - ENCODYA seems like a good choice.
Gaming On LINUX: A Beginner's Guide

Windows has been dominating the gaming space on PCs. Many people switch to Linux either for work purposes or just to try out a new flavour of an operating system, but are left aloof when it comes to gaming. Linux has a lot of flavours and customizations available. You can customize every aspect of the system. If you have a Linux based system and are looking to play games on it then this is a guide to help you find and play the best games for your system. [...] There are several tools such as PlayOnLinux, which allow you to run Games and Windows applications on Linux, which uses WINE and installs the game natively as you would on a Windows PC.
Stadia gets Journey to the Savage Planet free for Pro, Madden NFL 21 coming | GamingOnLinux

Stadia continues building up a nice selection of games for those interested in the convenience game streaming offers, with more titles announced now. One I've seen a lot of Stadia users ask for is more Madden and this has been answered, as Madden NFL 21 will be releasing January 28 along with a Free Weekend for Stadia Pro subscribers.

Looks Like Fedora 34 Workstation Will Ship with the GNOME 40 Desktop by Default

The Fedora development team decided not to break protocol and continue following the latest upstream GNOME releases for its next major release, Fedora 34. As you probably know already, Canonical recently revealed that its upcoming Ubuntu 21.04 (Hirsute Hippo) distro release won’t ship with GNOME 40 due its major UI redesign. This won’t happen with Fedora Linux, as it looks like the upcoming Fedora Linux 34 release will offer a pure GNOME 40 desktop experience on its flagship ‘Workstation’ edition. As GNOME 40 is built using the latest GTK 4 toolkit, that will be included as well in Fedora 34, due for release in late April 2021.

Android Leftovers

Latest on CentOS

CentOS Linux ending because "Red Hat simply refused to invest in it" | TechRadar
The killing of CentOS Linux: 'The CentOS board doesn't get to decide what Red Hat engineering teams do'

Brian Exelbierd, responsible for Red Hat liaison with the CentOS project and a board member of that project, has told The Register that CentOS Linux is ending because Red Hat simply refused to invest in it. Early last month Red Hat shocked users of CentOS, a free community build of the same sources that make up the commercial Red Hat Enterprise Linux (RHEL), by revealing that CentOS Linux would cease and be replaced by CentOS Stream, a build of what is likely to be in the next RHEL update. What happened, and how is it possible that the supposedly independent CentOS project conformed to a change of direction that was not driven by the wishes of its own members? "Red Hat participates in lots of open-source projects and communities. Red Hat sponsors some open-source projects and communities," said Exelbierd. "CentOS is a sponsored project, we are the funding agent and we happen to also be a heavy contributor. We have learned that open-source communities do well with independence. We let those governing bodies govern."
CloudLinux Hopes to Release CentOS Replacement AlmaLinux This Week | Data Center Knowledge

It is one of two CentOS clones being built to fill the void left by Red Hat's unpopular decision to end CentOS's role as a downstream version of RHEL.
CloudLinux Expands Its Extended Lifecycle Support Services to Cover More End-of-Life Linux Distributions | Business Wire

CloudLinux announces the expansion of its affordable Extended Lifecycle Support (ELS) services for Linux distributions, by providing its own updates and security patches for several years after expiration of the products’ end-of-life date. For example, support for CentOS 6 from Red Hat expired November 30 last year.

Latest News

today's howtos

Multi-OS PXE-booting from FreeBSD 12: Introduction (pt. 1)

This is an introductory article; if you’re familiar with PXE you will want to skip the excursion but may be interested in the “Why”. The article ends with the post-installation setup of my test machine, turning it into a simple router so that the next article can start with the actual PXE-related setup.
Annotate your PDF files on OpenBSD

On my journey to leave macOS, I regularly look to mimic some of the features I use. Namely, annotating (or signing) PDF files is a really simple task using Preview. I couldn’t do it on OpenBSD using Zathura, Xpdf etc. But there is a software in the ports that can achieve this: Xournal.

Xournal is “an application for notetaking, sketching, keeping a journal using a stylus“. And now that my touchscreen is calibrated, highlighting can even be done with the fingers :)
30 Basic Linux Commands For Beginners [Linux 101]

When I was introduced to Linux, I had a pretty hard time getting used to and learning Linux commands. There’s no secret to learning Linux in a day or two easily but to practice, fail, stand up and practice again, and learn from your mistakes. The easiest way to learn Linux is not to abandon it if you don’t understand how it works. In this article, let’s look at some of the basic Linux commands for beginners. This list of Linux terminal commands contains all the common commands. Think of it as a Linux command cheat sheet as it contains almost all the basic ones to get you started.
How to Verify SHA256 Checksum of File in Linux

Internet security is one of the most important aspects when it comes to the world wide web. There has been constant research and development to improve the security of applications and files on the Internet and thus to prevent malicious use. Downloadable files over the Internet are often the target of attacks on the Internet. As thousands and thousands of people download these files regularly, it becomes especially important to protect such files. In this article, we will learn about checksums and how they can be used to authenticate a downloaded file from the Internet.
How to Check Linux Commands History by Dates

The history command in Linux is used to view previously executed commands from the terminal. It will show a list of commands, with an ‘id’ next to each command.
How to restore Ubuntu’s EFI partition in Ubuntu 20.04

I recently got a new pre-loved laptop and as always I nuked Windows but in the process of booting up, I noticed that my BIOS was a bit out of date. Like a whole year out of date.
How to Install and Use Docker Compose on Ubuntu 20.04 | 18.04

Docker Compose is a command-line tool for defining and running multi-container applications. With Docker compose, you can run multiple containers as a single service. The containers are still isolated, but they can interact with each other. With Docker compose, you get the benefits of single-host deployment, great security, ease of setup and configuration which leads to really high productivity and efficiency. For example, if you have an application that requires an Apache web server and MariaDB database, you can create a docker-compose.yaml file that can run both the containers as a service without the need to start each one separately.
How to capture terminal sessions and output with the Linux script command | Enable Sysadmin

The Linux script command creates a typescript file from your terminal session. This means that if you invoke the script command, you are dropped to a "watched and recorded" terminal session subshell that's saved to an ASCII text file. When created with a timing file, you can replay the session, including output. The purpose of script is that you can easily grab sample output from any command through an interactive session exactly as it's displayed in your terminal. You can use backspace, edit files, create files, and run simple or complex commands.
How to replay terminal sessions recorded with the Linux script command | Enable Sysadmin

In my previous article, How to capture terminal sessions and output with the Linux script command, covering the script command and some common options, you learned how to record your interactive terminal sessions. This follow-up article demonstrates how to replay those recorded terminal sessions.
Critical bug in sudo puts Linux and Unix systems at risk

Any logged-in unprivileged user can abuse an old bug in sudo to gain root privileges. It was rated as an important security issue for Linux and Unix-like operating systems. The Qualys research team has discovered the heap overflow vulnerability in sudo itself has been hiding in plain sight for nearly 10 years. The bug allows any local users to gain root access without authentication (no user's password needed). We need to apply patches to our operating systems as soon as possible.The post Critical bug in sudo puts Linux and Unix systems at risk appeared first on nixCraft.
How to Install JDownloader on Debian

JDownloader is a great tool that can be used to download files from multiple servers simultaniously. It is open source and is supported on all major platforms, the tool is written in Java. It comes in handy when you have to download multiple files at once located at different file hosting services. This tool provides you with the control to pause, stop or start the downloads. It allows you to set bandwidth limitations and it saves a lot of time by changing the way you download files from the internet. In this article, we will explain how to install JDownloader on a Debian OS. We have used Debian 10 for running the commands and procedure described in this article.
How To Set Or Change Hostname On Linux - OSTechNix

We already discussed how to view or find a Linux system's hostname. In this brief guide, we will see how to set or change hostname in Linux, either temporarily or permanently.

The Power of CMake Presets

CMake 3.19 was officially released a couple of months ago, and one of the biggest – and most exciting – new features is the addition of presets. What are presets, you might ask, and why should we be excited about them? Presets are a bunch of pre-set CMake options that enable developers to ensure that multiple configurations remain consistent, even when using different compiler tool chains, inserting different debugger or profiler options, or building selected packages within a project. Essentially, you put definitions of the CMake options you want into one of two JSON files: one associated with the project, and one for the user.

Daniel Lange: Installing System Rescue (CD) to a flash drive

System Rescue, the project formerly known as System Rescue CD, has moved from being based on Gentoo to being built on Arch Linux packages. With this their ISO layout changed substantially so when updating my trusty recue USB flash drive, I could not just update the kernel, initrd and the root filesystem image as I had typically done every other year before. The "Installing on a USB memory stick" documentation is good for Windows (use Rufus, it's nice) but rather useless for Linux. They recommend a dd or the fancy graphical version of that, called usbimager.

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Support Tux Machines

Help Support TM
Wall of Appreciation

Gizmoz

LXer

UbuntuBuzz

SparkyLinux

Linux Journal

Linux Today

System 76

Kernel Planet

Purism

LinuxSecurity.com Advisories

Debian

It's FOSS

OMG! Ubuntu!

GamingOnLinux

Slashdot

DW Latest Releases

DistroWatch

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

FSF

Ubuntu Buzz

LinuxLinks

Content available under CC-BY-SA