7.2. Debian 安全公告

Debian Security Advisories (DSAs) are made whenever a security vulnerability is discovered that affects a Debian package. These advisories, signed by one of the Security Team members, include information of the versions affected as well as the location of the updates. This information is:

  • 问题软件的版本号.

  • 问题类型.

  • 是会被远程攻击还是本地.

  • 软件包的简短描述.

  • 问题描述.

  • 攻击描述.

  • 修复描述.

DSAs are published both on http://www.debian.org/ and in the http://www.debian.org/security/. Usually this does not happen until the website is rebuilt (every four hours) so they might not be present immediately. The preferred channel is the debian-security-announce mailing list.

然而感兴趣的用户可以, (需要通过一些 Debian 相关端口来完成)使用 RDF 频道去自动下载 DSAs 到他们的计算机. 一些应用程序,譬如 Evolution (电子邮件客户和个人信息助理) 和 Multiticker (一个GNOME附属程序),可以用来自动获取公告. RDF 频道可以由 http://www.debian.org/security/dsa.rdf 处获得.

DSAs published on the website might be updated after being sent to the public-mailing lists. A common update is adding cross references to security vulnerability databases. Also, translations[45] of DSAs are not sent to the security mailing lists but are directly included in the website.

7.2.1. 漏洞的交叉参考

Debian provides a fully http://www.debian.org/security/crossreferences including all the references available for all the advisories published since 1998. This table is provided to complement the http://cve.mitre.org/cve/refs/refmap/source-DEBIAN.html.

You will notice that this table provides references to security databases such as http://www.securityfocus.com/bid, http://www.cert.org/advisories/ and http://www.kb.cert.org/vuls as well as CVE names (see below). These references are provided for convenience use, but only CVE references are periodically reviewed and included.

Advantages of adding cross references to these vulnerability databases are:

  • it makes it easier for Debian users to see and track which general (published) advisories have already been covered by Debian.

  • system administrators can learn more about the vulnerability and its impact by following the cross references.

  • 这些信息也可用于漏洞扫描器的交叉检测输出, 其包括参考 CVE 删除错误信息 (参见 第 12.1.2.1 节 “漏洞评估扫描器 X 说我的 Debian 系统存在漏洞!”).

7.2.2. CVE 兼容性

Debian Security Advisories were http://www.debian.org/security/CVE-certificate.jpg[46] in February 24, 2004.

Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE enables us to provide standardized references that allow users to develop a http://www.cve.mitre.org/compatible/enterprise.html.

The http://cve.mitre.org project is maintained by the MITRE Corporation and provides a list of standardized names for vulnerabilities and security exposures.

Debian 相信为用户提供影响 Debian 发行版的安全问题的附加信息是非常重要的. 在公告中 CVE 名称有助于用户了解漏洞与某个 Debian 安全更新的关系, 这有助于减少花费在处理影响我们用户的漏洞上的时间. 同时, 也使得对于部署了支持 CVE 的安全工具的环境的安全问题的管理变得简单 - 譬如基于网络或主机的入侵检测系统, 或漏洞评估工具, 不管它是不是基于 Debian 发行版的.

Debian provides CVE names for all DSAs released since September 1998. All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the Debian Security Tracker (see below).

In some cases you might not find a given CVE name in published advisories, for example because:

  • No Debian products are affected by that vulnerability.

  • There is not yet an advisory covering that vulnerability (the security issue might have been reported as a http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security but a fix has not been tested and uploaded).

  • An advisory was published before a CVE name was assigned to a given vulnerability (look for an update at the web site).


[45] Translations are available in up to ten different languages.

[46] The full http://cve.mitre.org/compatible/phase2/SPI_Debian.html is available at CVE