news.fp.o
Toshio Kuratomi
a.badger at gmail.com
Fri Feb 22 00:35:25 UTC 2008
Jeffrey Tadlock wrote:
> 2008/2/21 Toshio Kuratomi <a.badger at gmail.com>:
>> This is a highly inaccurate measure of security but it's something to
>> look at. I wonder if lkundrak and the security team have a preference
>> for blogging/news software :-)
>>
>> Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
>> wordpress drupal mediawiki zope plone
>> 2008 30 17 1 0 0
>> 2007 64 37 7 2 1
>> 2006 21 39 4 1 3
>
> I looked at WordPress a bit this morning as well. I used the same
> source as Toshio did, but I think I used a slightly different search
> than him. I used the Advanced search and set the Product to
> WordPress. That yielded these numbers:
>
> 2008: 13
> 2007: 42
> 2006: 16
>
Thanks for doing a better search than I did! I'm not sure that your
numbers are any more meaningful than mine, though, as what we need to do
is establish how much vulnerability we'll incur if we use a certain
tool. So, to narrow it down like you want to do, we need to find out
how many CVE's affect the core + plugins that we'll be using (which
seems like it's not going to be a static list until something gets
deployed... and probably not even then.)
For instance, wordpress was being looked at in part because we may have
some responsibility for Fedora.tv in the future (which is a wordpress
platform with parts implemented via plugin). Someone wanted to host
polls so we started looking at a plugin to do so. Once we get this up
and running, the inclination to use the platform for more things will
come about as well. Did you say it has gallery plugins? Well, the art
team has wanted to host some sort of gallery for quite a while. The
uses we put this to is just going to grow.
So knowing that plugins are vulnerable to attack could be very relevant
to the discussion at hand. Perhaps some web platform's architectures
sandbox plugins so that an exploit in their code is not as dangerous to
the system as a whole. Perhaps some systems make it their
responsibility to filter all data coming in and all data going out with
the plugins sitting behind that layer. Perhaps some developer
communities (I'm including the plugin authors here) are more concerned
about coding in a secure manner than others. Perhaps some projects are
proactive about potential security holes while others are reactive.
Looking at numbers of raw CVEs is a very coarse way to estimate this. I
think that the numbers show a quality differential between mediawiki and
the others but if we want to evaluate more than that, I think we have to
start looking for better criteria like Mark Cox's days of risk and
actually evaluating upstream's code.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080221/b9de2b46/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list