Are most or all security flaws fixed in Debian? Or is it like Ubuntu where many are not?

TL;DR In Ubuntu, apparently not all security issues in Universe are fixed. I was wondering if all security issues are fixed in Debian. Bearing in mind that some have lower priorities than others. Here's what got me thinking about this.

Here's a post from Wilders Security forums where Summerheat says that many security flaws in Universe in Ubuntu may not be fixed fixed whereas in Debian they all are fixed.

An article on heise.de reminds again of the fact that this LTS support only applies to the main repository (with about 7.300 packages in 16.04), not to universe (with about 45.500 packages) . This is critical as many packages therein are no longer maintained and can therefore be affected by security holes.

[Examples]

The thing is that those vulnerabilities are all fixed in Debian as all provided packages are maintained and security fixes are backported.

https://www.wilderssecurity.com/threads ... rt.385386/

Here's a post by Thomas Ward on AskUbuntu saying that the situation in Ubuntu is much the same as in Debian. He says that the more popular packages in Universe are likely to have security flaws fixed.

Even in Debian, there are many many packages that don't get regular security updates.

...

While you are not guaranteed any updates for these packages, a lot of the popular ones will have enough attention to usually have someone working to try and patch security issues.

https://askubuntu.com/questions/618727/ ... ame-packag

Here;s a post by ian-weisser saying that many less than popular packages do not get security fixes in Ubuntu Universe.

Universe packages are supposed to be provided by the community, but few volunteers do it, so generally they were not happening for many less-popular packages.

https://ubuntuforums.org/showthread.php ... st14151474

Then there's the Debian documentation which seems to indicate that indeed, if a security flaw is reported to the security team then it does get fixed.

Once the security team receives a notification of an incident, one or more members review it and consider its impact on the stable release of Debian (i.e. if it's vulnerable or not). If our system is vulnerable, we work on a fix for the problem.

https://www.debian.org/security/faq#handling

https://www.debian.org/doc/manuals/secu ... n-sec-team

The documentation claims that most security flaws are fixed by any distribution. In section 12.1.1.1 they say

Known security updates are rarely, if ever, left unfixed by a distribution vendor.

But there are too many packages to audit for security flaws. But many people are using stable packages so most will get uncovered. In section 12.1.1.8 they say

The Debian security team cannot possibly analyze all the packages included in Debian for potential security vulnerabilities, since there are just not enough resources to source code audit the whole project.

...

However, Debian users can take confidence in the fact that the stable code has a wide audience and most problems would be uncovered through use.

https://www.debian.org/doc/manuals/secu ... 12.en.html

Can anyone add any insight to this? Are most security flaws in Debian getting fixed or not?

Statistics: Posted by Shamak — 2024-01-15 23:02 — Replies 0 — Views 52

---