Fans should 'weep' over Linux bugs

by James Middleton

08 Feb 2002

Following the furore earlier this week over which operating system, Linux or Windows, suffered more security vulnerabilities throughout 2001, Linux site LWN.net set about comparing the vulnerabilities suffered by different Linux distros in 2001.

Needless to say, the results were quite interesting, even prompting the Linux site to warn: "Anybody who is proud of Linux's security should have a good look and weep - it is a very long list."

Further reading

The big picture is somewhat vague, because although all Linux distributions have the same kernel, each distro contains thousands of different packages and extra applications.

LWN said: "There is no end of caveats that apply to this table: it is hard to make a one-for-one comparison of security updates across distributions. Undoubtedly some updates have been joined that should not be, and others have been kept separate when they should be together."

Also, the results do not distinguish between versions, so an update for Red Hat 6.2 would be lumped in with Red Hat in general.

The resulting table identifies 290 updates for 145 unique vulnerabilities across the main Linux distributions - Suse, Debian, Mandrake, Red Hat and TurboLinux.

"It would seem that the vnunet.com article actually underestimated the problem," said LWN.

However, in light of the results, the site was quick to point out that "we are not yet at a point where we can make meaningful comparisons even between Linux distributions. Trying to compare Linux with Windows seems like a waste of time."

The fact that each distribution of Linux comes with a wide assortment of packages makes it more than just an operating system for comparison purposes. And the scope of difference between each distro is so wide that patches released for a package in one distro may not be at all applicable to another.

"In the end, there is only so much to be learned about the security of an operating system by counting its published vulnerabilities," said LWN.

"One has to look at the seriousness of each, how it was discovered (internal audit or external exploit), how long users had to wait for a fix, and how many users were actually compromised as a result of the problem. We need better ways of understanding and comparing security response; simply counting vulnerabilities is not sufficient."

Below is the table identifying all Linux security updates throughout 2001 for the major distros.

Linux security updates in 2001
Vulnerable package	Debian	Mandrake	Red Hat	SuSE	Turbolinux
analog	X				X
apache (Jan)	X	X
apache (Jul)	X	X	X
arpwatch		X
bind	X	X	X	X	X
cfingerd (Apr)	X
cfingerd (Jul)	X
cron	X	X	X	X	X
ctags	X
cups		X		X
cvsweb					X
cyrus-sasl			X	X
dhcp					X
dialog					X
diffutils		X	X
ed					X
ePerl	X	X		X
elm		X
esound					X
exim	X		X
exmh	X	X
expect		X
fetchmail (Jun)	X	X
fetchmail (Aug)	X	X	X	X
fml	X
gdm		X
getty_ps		X
gftp (May)	X	X	X
gftp (Oct)	X
glibc (Mar)	X	X	X		X
glibc (Dec)		X	X	X
gnupg	X	X	X	X	X
gnuserv	X
gpm	X	X
groff	X
gtk+		X			X
htdig	X	X	X	X
hylafax		X		X
icecast	X		X
imap		X		X
imp	X
inetd			X
inn	X	X
iptables			X
ispell		X	X
jazip	X
joe	X	X	X	X
kdelibs		X	X
kdesu		X		X
kernel (May)				X
kernel (Oct)	X	X	X		X
kernel (Nov)		X	X	X
ld-linux				X
libgtop		X
licq		X
linuxconf		X
losetup			X
lpr			X	X
lprng			X		X
mailman	X		X
mailx	X
man (May)	X		X	X
man (Feb)	X
man2html	X
mc	X			X
mesa		X
mgetty	X	X	X		X
micq	X		X
minicom		X	X
mktemp			X
mod_auth_pgsql			X
mod_auth_mysql				X
most	X
mutt		X	X
mysql	X	X
ncurses		X			X
nedit	X	X	X	X
netscape	X	X	X		X
nfs-utils					X
ntpd	X	X	X	X	X
ntping				X
nvi	X
omni print			X
openldap	X	X
openssh (Jan)	X
openssh (Feb)	X	X		X	X
openssh (Oct)		X
openssh (Dec)	X	X	X	X
openssl		X	X		X
php4	X	X
pine		X
pmake					X
postfix	X	X
printtool			X
procmail	X	X	X
proftpd (Feb)	X	X
proftpd (Mar)	X
rdist		X
rpmdrake		X
rxvt	X
samba (May)	X	X
samba (Jun)	X	X	X	X
sash	X
screen				X
sdbsearch				X
sendfile	X
sendmail	X	X	X	X	X
sgml-tools	X	X	X	X
shadow-utils		X
slocate					X
slrn (Sep)	X
slrn (Mar)	X	X	X
snmp			X
splitvt	X
squid (Jan)	X	X			X
squid (Jul)	X	X	X	X
sudo	X	X	X	X
susehelp				X
tcpdump		X			X
telnet	X	X	X	X
tetex		X	X
timed		X		X
tinyproxy	X
tripwire		X
util-linux		X		X
uucp	X	X		X
vim		X	X	X	X
w3m (Jun)	X
w3m (Oct)	X
webalizer			X	X
webmin		X
wmaker	X	X		X
wmtv	X
wu-ftpd (Nov)	X	X	X	X
wu-ftpd (Jan)	X	X			X
Xaw	X
xemacs		X	X		X
xfree86	X		X
xinetd	X	X	X	X
xloadimage	X	X	X	X
xmcd				X
xtel	X
xvt	X
zope (May)	X	X	X
zope (Mar)	X	X
Totals:	81	81	56	44	28

Source: LWN.net

Topics:
Operating Systems

Do you agree?

Add your comment

Your name:
Your email address:	We won't publish your address
Your comment title:
Your comment:	By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.

Submit your comment

Get the latest news headlines direct to your inbox

Flame virus poll

Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?

Yes, the government has been proactive in addressing threats

31%

Yes, the strong UK technology sector helps ensure access to top-level equipment and expertise

No, the government is lagging behind in adequately protecting the UK infrastructure

12%

No, there’s always exploits that can be attacked

56%

Features

It's time to change tax system to bring technology manufacturing back to the UK

The V3 Hot Seat: Imperva CTO and co-founder Amichai Shulman

Quick guide to Flame malware attack

Quick guide to cookie law compliance

More features

Orange San Diego video demo

Orange and Intel talk us through the ins and outs of their San Diego smartphone

Sign up to our daily or weekly newsletters

Follow @V3_co_uk

Case studies and reports

Social networking: a guide for IT managers

Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them

Mitigating the risks of IT change

The importance of understanding your infrastructure

Technology jobs

Test Architect

Are you looking for a new positing within the Testing...

B2B Marketing Executive

A leading global provider of critical information to...

Scrum Master

Want to work for one of the most dynamic, creative environments...

Interactive & Mobile QA Engineer

Want to work for one of the most dynamic, creative environments...

White paper library
Latest white papers

Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.

More white papers

© Incisive Media Investments Limited 2012, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093

About us:

Business & technology web sites:

Blogs & community:

Reviews:

Software downloads:

Tools & resources:

Accreditation:

Digital Publisher of the Year 2010

Friend's email address	To send to more than one email address, simply separate each address with a comma.
Your email address
Message