news.fp.o

Toshio Kuratomi a.badger at gmail.com
Fri Feb 22 00:35:25 UTC 2008 

Jeffrey Tadlock wrote:
> 2008/2/21 Toshio Kuratomi <a.badger at gmail.com>:
>>  This is a highly inaccurate measure of security but it's something to
>>  look at.  I wonder if lkundrak and the security team have a preference
>>  for blogging/news software :-)
>>
>>  Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
>>        wordpress  drupal  mediawiki  zope  plone
>>  2008     30        17        1        0     0
>>  2007     64        37        7        2     1
>>  2006     21        39        4        1     3
> 
> I looked at WordPress a bit this morning as well.  I used the same
> source as Toshio did, but I think I used a slightly different search
> than him.  I used the Advanced search and set the Product to
> WordPress.  That yielded these numbers:
> 
> 2008:    13
> 2007:    42
> 2006:    16
> 
Thanks for doing a better search than I did!  I'm not sure that your 
numbers are any more meaningful than mine, though, as what we need to do 
is establish how much vulnerability we'll incur if we use a certain 
tool.  So, to narrow it down like you want to do, we need to find out 
how many CVE's affect the core + plugins that we'll be using (which 
seems like it's not going to be a static list until something gets 
deployed... and probably not even then.)

For instance, wordpress was being looked at in part because we may have 
some responsibility for Fedora.tv in the future (which is a wordpress 
platform with parts implemented via plugin).  Someone wanted to host 
polls so we started looking at a plugin to do so.  Once we get this up 
and running, the inclination to use the platform for more things will 
come about as well.  Did you say it has gallery plugins?  Well, the art 
team has wanted to host some sort of gallery for quite a while.  The 
uses we put this to is just going to grow.

So knowing that plugins are vulnerable to attack could be very relevant 
to the discussion at hand.  Perhaps some web platform's architectures 
sandbox plugins so that an exploit in their code is not as dangerous to 
the system as a whole.  Perhaps some systems make it their 
responsibility to filter all data coming in and all data going out with 
the plugins sitting behind that layer.  Perhaps some developer 
communities (I'm including the plugin authors here) are more concerned 
about coding in a secure manner than others.  Perhaps some projects are 
proactive about potential security holes while others are reactive.

Looking at numbers of raw CVEs is a very coarse way to estimate this.  I 
think that the numbers show a quality differential between mediawiki and 
the others but if we want to evaluate more than that, I think we have to 
start looking for better criteria like Mark Cox's days of risk and 
actually evaluating upstream's code.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080221/b9de2b46/attachment.sig>

More information about the Fedora-infrastructure-list mailing list