news.fp.o
seth vidal
skvidal at fedoraproject.org
Thu Feb 21 19:28:47 UTC 2008
On Thu, 2008-02-21 at 13:13 -0500, Jeffrey Tadlock wrote:
> 2008/2/21 Toshio Kuratomi <a.badger at gmail.com>:
> > This is a highly inaccurate measure of security but it's something to
> > look at. I wonder if lkundrak and the security team have a preference
> > for blogging/news software :-)
> >
> > Number of CVEs listed on http://nvd.nist.gov/nvd.cfm
> > wordpress drupal mediawiki zope plone
> > 2008 30 17 1 0 0
> > 2007 64 37 7 2 1
> > 2006 21 39 4 1 3
>
> I looked at WordPress a bit this morning as well. I used the same
> source as Toshio did, but I think I used a slightly different search
> than him. I used the Advanced search and set the Product to
> WordPress. That yielded these numbers:
>
> 2008: 13
> 2007: 42
> 2006: 16
>
> If you search the vuln database for just wordpress it pulls in a lot
> of plugins for WordPress that have issues. Even the search I did
> pulled in results for plugins for WordPress and not just core
> WordPress components. So I went through 2008 and 2007 to see which
> results in my search affected core WordPress bits and which were for
> optional plugins. Those results were:
>
> 2008: 7
> 2007: 36
>
> Several of the hits for those two years had been for things like
> custom themes someone had provided or guest books or an image gallery.
>
> I also looked briefly at versions affected as well. Just using 2008
> as an example, there were still 7 security issues listed for core
> WordPress components so far. But if you figure you probably shouldn't
> still be running a 2.0.x version or 2.1.x version of WordPress in 2008
> then another 5 CVE's drop off the list leaving 2008 at 2 CVEs.
>
> To be fair, I only looked this closely at WordPress. It is quite
> likely Drupal's numbers would drop if I looked through those results
> and made decisions on which affected core bits and which affected
> plugins to Drupal. Like Toshio already said, this isn't the greatest
> way to determine the security of an app.
>
> > These numbers show a big difference between mediawiki and drupal or
> > wordpress. The questions are just how valid the numbers are and whether
> > we're confident that the combination of SELinux (which we will then
> > depend on; no more turning it off if we can't figure out a problem) and
> > mod_security will keep our servers and users of the sites safe from the
> > exploits that will appear.
>
> With any application we provide we need to consider security. I think
> SELinux is a valid means to help prevent damage from 0-day flaws as is
> mod_security. They are tools in the toolkit we can use to help reduce
> our attack surface. If we do move to PHP based apps, we could also
> consider looking at suhosin [1] as another tool for the toolbox.
>
Let's not, ever, say we're considering going to php based apps.
I don't mind deploying a few but I'll be damned if I'll ever 'go to php'
as a language.
-sv
More information about the Fedora-infrastructure-list
mailing list