ぜい弱性

ぜい弱性について

ソフトウェアにバグはつきものです。 このバグは、時には悪用されるものになります。 例えばユーザーが、規定されている以上の権限を得てしまうことができます。 (おそらくルートシェルにログインできたり、他ユーザーのファイルにアクセスできたり削除できたりといった状況です。) リモートサイト上のアプリケーションを破壊 (サービス停止) したり、データを盗んだりといったこともできてしまいます。 このようなバグはぜい弱性と表現されます。

ぜい弱性に関する情報を取りまとめているサイトとして cve.mitre.org があります。 Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled as "reserved" when distributions start issuing fixes. Also, some vulnerabilities apply to particular combinations of configure options, or only apply to old versions of packages which have long since been updated in BLFS.

BLFS differs from distributions—there is no BLFS security team, and the editors only become aware of vulnerabilities after they are public knowledge. Sometimes, a package with a vulnerability will not be updated in the book for a long time. Issues can be logged in the Trac system, which might speed up resolution.

The normal way for BLFS to fix a vulnerability is, ideally, to update the book to a new fixed release of the package. Sometimes that happens even before the vulnerability is public knowledge, so there is no guarantee that it will be shown as a vulnerability fix in the Changelog. Alternatively, a sed command, or a patch taken from a distribution, may be appropriate.

The bottom line is that you are responsible for your own security, and for assessing the potential impact of any problems.

The editors now issue Security Advisories for packages in BLFS (and LFS), which can be found at BLFS Security Advisories, and grade the severity according to what upstream reports, or to what is shown at nvd.nist.gov if that has details.

To keep track of what is being discovered, you may wish to follow the security announcements of one or more distributions. For example, Debian has Debian security. Fedora's links on security are at the Fedora wiki. Details of Gentoo linux security announcements are discussed at Gentoo security. Finally, the Slackware archives of security announcements are at Slackware security.

The most general English source is perhaps the Full Disclosure Mailing List, but please read the comment on that page. If you use other languages you may prefer other sites such as heise.de (German) or cert.hr (Croatian). These are not linux-specific. There is also a daily update at lwn.net for subscribers (free access to the data after 2 weeks, but their vulnerabilities database at lwn.net/Alerts is unrestricted).

For some packages, subscribing to their 'announce' lists will provide prompt news of newer versions.