Debian Security

• Work of the Security Team
• Sources of notification
• Processing of problems
• Common Problems
• How to help?
• Summary

• Founded 1997
• Developers dedicated to securing Debian
• Officers and Secretaries
• Small team
• Currently a bit too small
• More than 750 advisories

• Security problems in stable releases
• Verify problems
• Coordination with maintainer
• Coordination with upstream
• Coordination with vendors
• Fix problems
• Release advisory

• Security problems on users machines
• Security problems on Debian mirrors
• unstable distribution
• testing distribution
• Installation problems
• Examples, exploits

• Debian Security Audit
• CERT
• vendor-sec
• bugtraq
• Other vendors
• CVE / MITRE

• Private information, non-public
• Sensible handling of security problems
• Real bug fixing vs. being the first
• Similar chances for all vendors
• Benefitting from other vendors' work
• Full disclosure vs. immediate disclosure

• Not well documented in public
• Mailing-List
• Federation of various vendors
  • commercial and non-commercial
  • Linux, BSD, IRIX, HP-UX
  • Celebrities
• Talk about security problems
• Development of corrections
• Coordination / sensible handling

• Understanding the problem
• Building a test case
• Code review
• Code analysis
• Correction
• Testing

• Exploits for user programs
• Problems in unused code
• Problems in unprivileged code
• Bugs in examples
• Non-automatic, non-root programs

• Private DAK installation
• Private queue
• Public upload directory
• Specific wanna-build databases
• Build log approval
• Immediate update

• Buffer overflow, integer overflow
• Format string
• SQL injection
• Missing privilege release
• Infinite loop
• Cross site scripting
• Information disclosure

• Report problems comprehensively
• Validate yourself
• Develop a correction
• Only distribute clean patches
• Testing
• Watch security lists
• Debian Security Audit

• Sources for notification
• vendor-sec
• Full disclosure vs. immediate disclosure
• Security processing
• How to help