Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Today in Techrights

SUSE: GCC and GSoC in OpenSUSE/SLES

  • SLES 12 Toolchain Update Brings new Developer Tools
  • SUSE Linux Enterprise Server 12 Updates Its Developer Toolchain to GCC 7
    SUSE's Andreas Jaeger writes in a blog post about the updated toolchain of the SUSE Linux Enterprise Server 12 operating system and the new developer tools it brings. The article notes the fact that with the release of GNU Compiler Collection 7, the GCC team brought numerous improvements for developers, including better diagnostics, DWARF 5 support, as well as support for the C++ 17 standard. GCC 7 also contains improved optimization passes and takes advantage of some of the features of modern processors, and now it is available to all SUSE Linux Enterprise Server 12 customers with an active subscription.
  • Become a Google Summer of Code Mentor for openSUSE
    The application period for organizations wanting to participate in the Google Summer of Code is now and the openSUSE project is once again looking for mentors who are willing to put forth projects to mentor GSoC students.

Android Leftovers

Security: Purism, Intel, Wi-Fi, iOS

  • Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops
    Purism has released a patch for Meltdown (CVE-2017-5754, aka variant 3) as part of PureOS, and includes this latest PureOS image as part of all new Librem laptop shipments. Purism is also providing a microcode update for Intel processors to address Spectre variant 2 (CVE-2017-5715).
  • Intel Fumbles Its Patch for Chip Flaw
    Intel is quietly advising some customers to hold off installing patches that address new security flaws affecting virtually all of its processors. It turns out the patches had bugs of their own.
  • Wi-Fi Alliance announces WPA3 to secure modern networks
    The Consumer Electronics Show (CES) is an odd place to announce an enterprise product, but the Wi-Fi Alliance used the massive trade show — which has more or less taken over where Comdex left off — to announce a major upgrade to Wi-Fi security. The alliance announced the Wi-Fi Protected Access 3 (WPA3), a new standard of Wi-Fi security that greatly increases the security capabilities of the wireless standard. WPA2, which is the current standard in wireless security, has been around for 14 years, so this is way overdue.
  • More iOS 11 Jailbreak Tweaks Could Be Released by the Weekend
    The Electra jailbreak tool is better than LiberiOS because it comes with Substitute. This is the alternative to Cydia substrate that was first developed by Comex. This would allow users to install and use jailbreak tweaks compatible to iOS 11.