[1409] in linux-security and linux-alert archive
[linux-security] Re: evidence/timelines that show linux is "more secure"
daemon@ATHENA.MIT.EDU (David Holland)
Wed Jan 29 16:33:22 1997
From: David Holland <dholland@eecs.harvard.edu>
To: linux-security@redhat.com
Date: Wed, 29 Jan 1997 16:15:54 -0500 (EST)
In-Reply-To: <199701292022.PAA07345@schroeder.redhat.com> from "Marc Ewing" at Jan 29, 97 03:22:57 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> I'm looking for some evidence, backup up with dates and references,
> that shows that the Linux community responds to security problems
> more quickly than other OS vendors, and thus might be considered
> "more secure".
Unfortunately it's not clear that this is all that true. The
turnaround time on the libc env bugs was on the order of three to four
months, around the same time as most vendors. Mind you, this was
nearly a worst case for Linux.
When developers discover holes they get fixed a lot faster; the talkd
bug that came out of CERT this week was fixed in Linux in July,
because I found it while preparing NetKit 0.07 (yeah, I know the CERT
advisory says 0.08, this particular bug was actually fixed in 0.07;
you shouldn't be running anything earlier than 0.09 or a vendor-fixed
0.08 at this point anyway.)
The other problem: define "Linux fix date"? In the libc case, a fixed
developer version of libc was out long before the fixes were complete.
Red Hat got a fixed version out someplace in the middle.
FWIW:
Vulnerability : talkd buffer overrun attackable via DNS
Affects : Linux, NetBSD, FreeBSD, OpenBSD, BSD/OS, Solaris, etc.
Linux Fix Date : July 1996 (check the exact netkit 7 release date)
Other Fix Dates: NetBSD, OpenBSD: July 1996
FreeBSD: January 1997
BSD/OS: January 1997
Solaris: Not yet fixed
References : CERT Advisory CA-97.04
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino