Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Mastodon 2.0

About 6 months have passed since April, during which the major mainstream breakthrough of our decentralized social network took place. From 20,000 users to almost a million! What better time to run through a couple examples of what’s been introduced since then? Mastodon is defined by its focus on good user experience, polished design and superior anti-abuse tools. In that vein, the web app has received numerous updates. Using the latest browser features, the web app receives real push notifications, making it almost indistinguishable from a native mobile app. It works faster and looks smoother thanks to many performance and design improvements. Read more

Red Hat: Satellite, OpenShift, Government, SoftBank

  • A Red Hat Satellite tutorial to install an update server
    Is server patch management the best part of your job? Stop reading here. Many IT organizations struggle with OS patching processes. For Red Hat administrators who are willing to invest some initial energy to simplify later tasks, Satellite provides infrastructure lifecycle management, including capabilities for provisioning, reporting and configuration management. To this end, follow this Red Hat Satellite tutorial to set up a simple server for updates. Once we review how to install the basic update server, we'll create one example client.
  • Red Hat updates Gluster storage for OpenShift container apps
    Red Hat bolstered Gluster storage for its OpenShift Container Platform, adding iSCSI block and S3 object interfaces, as well as greater persistent volume density.
  • Red Hat to Cover Open Source Collaboration at Gov’t Symposium; Paul Smith Comments
    Red Hat (NYSE: RHT) is set to hold its annual symposium on federal information technology on Nov. 9 where the company will host discussions on open source collaboration and its potential benefits for government, GovCon Executive reported Oct. 11.
  • Red Hat’s Container Technologies and Knowledge Were Chosen by SoftBank to Embrace DevOps
    Red Hat, Inc. (NYSE: RHT), the world's leading provider of open source solutions, today announced that several of Red Hat’s open source technologies, including Red Hat OpenShift Container Platform, as well as the knowledge of Red Hat Consulting, were chosen by SoftBank Corp (“SoftBank”), a subsidiary of SoftBank Group Corp., to implement DevOps methodology for its Service Platform Division, IT Service Development Division, Information Technology Unit, and Technology Unit, the company’s in-house IT organization. This large, varied organization develops, maintains and operates SoftBank’s IT systems for internal work and operations, supporting 600 diverse systems.
  • Form 4 RED HAT INC For: Oct 17 Filed by: Kelly Michael A
  • Taking a Fresh Look at Red Hat, Inc. (RHT)

Security: Google Play, WPA2, FERC, HackerOne

  • 8 'Minecraft' apps infected with Sockbot malware on Google Play found adding devices to botnet

    Security researchers have discovered that at least eight malware-laced apps on Google Play Store are ensnaring devices to a botnet to potentially carry out distributed denial-of-service (DDoS) and other malicious attacks. These apps claimed to provide skins to tweak the look of characters in the popular Minecraft: Pocket Edition game and have been downloaded as many as 2.6 million times.

  • KRACK Vulnerability: What You Need To Know
    This week security researchers announced a newly discovered vulnerability dubbed KRACK, which affects several common security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2. This is a bad vulnerability in that it likely affects billions of devices, many of which are hard to patch and will remain vulnerable for a long time. Yet in light of the sometimes overblown media coverage, it’s important to keep the impact of KRACK in perspective: KRACK does not affect HTTPS traffic, and KRACK’s discovery does not mean all Wi-Fi networks are under attack. For most people, the sanest thing to do is simply continue using wireless Internet access.
  • FERC sets rules to protect grid from malware spread through laptops
    The Federal Energy Regulatory Commission on Thursday proposed new mandatory cybersecurity controls to protect the utility system from the threat posed by laptops and other mobile devices that could spread malicious software. The standards are meant to "further enhance the reliability and resilience of the nation's bulk electric system" by preventing malware from infecting utility networks and bringing down the power grid, according to the nation's grid regulator.
  • Hack These Apps And Earn $1,000 — Bug Bounty Program Launched By Google And HackerOne
  • Security Vulnerability Puts Linux Kernel at Risk

Smartphone Waste and Tizen News