Secunia pages -- publishing wrong and misleading information about security status of Fedora distros?? RE: [Fedora Project Wiki] Update of "Security" by JoshBressers (fwd)
deisenst at gtw.net
Sat Mar 4 04:39:43 UTC 2006
Was noticing one of Josh Bresser's edits to wiki/Security today... (see
the forward below).
If Secunia's information is incorrect and misleading, misrepresenting the
true security status of Fedora distributions, oughtn't we get in touch
with Secunia to help coordinate updating their information to make it
correct and informative?
They claim to welcome feedback:
"If you have new information regarding a Secunia advisory or a
product in our database, please send it to us using either our web
form or email us at vuln at secunia.com.
"Ideas, suggestions, and other feedback is most welcome."
It seems that Secunia may be doing us a service, putting a lot of work
into informing the public of details about the security status of various
Linux distros including Fedora -- work we may not have time to do and so
are not doing at the moment. Perhaps we can support their work rather
than just putting our heads in the sand and pretending it's not there
misrepresenting the security status?
(a little later)
Okay, now I've actually *looked* at Secunia's pages... Hrm. It looks
like Secunia only talks about issues that have releases published, and
then only from the fedora-announce-list. They have nothing in their pages
about vulnerabilities fixed by Fedora Legacy. (For example, see
<http://secunia.com/graph/?type=adv&period=all&prod=2568> for FC1, which
Fedora Legacy continues to maintain.)
And, since it appears they're only reporting from announcements of fixed
packages, of course their little pie charts would show 100% fixed. (For
example, see <http://secunia.com/graph/?type=sol&period=all&prod=5251> for
Fedora Core 4.) It looks like they're doing no original research at all
(like looking at CVE's from cve.mitre.org) to see if distros have any
unpatched vulnerabilities ...
Does Secunia have folks that can be worked with so their Fedora pages can
become reliable enough so we *can* have them linked to as a third-party
site in our wiki?? And further, do any of us who work with security
issues have *time* to invest in working with them to bring them in line
with reality, assuming they're open to suggestions?
---------- Forwarded message ----------
From: fedorawiki-noreply at fedoraproject.org
To: fedorawiki-noreply at fedoraproject.org
Date: Fri, 03 Mar 2006 22:32:50 -0000
Subject: [Fedora Project Wiki] Update of "Security" by JoshBressers
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Fedora Project Wiki" for change notification.
The following page has been changed by JoshBressers:
The comment on the change is:
The secunia pages are very wrong and misleading.
@@ -38, +38 @@
- == Third-Party Information ==
- * [http://secunia.com/product/5251/ Secunia's Vulnerability Report for Fedora Core 4]
- * [http://secunia.com/product/4222/ Secunia's Vulnerability Report for Fedora Core 3]
- * [http://secunia.com/product/3489/ Secunia's Vulnerability Report for Fedora Core 2]
- * [http://secunia.com/product/2568/ Secunia's Vulnerability Report for Fedora Core 1]
- * [http://secunia.com/vendor/3/ Secunia's Red Hat vendor page]
More information about the Fedora-security-list