7.2. Debian Security Advisories
Debian Security Advisories (DSAs) are made whenever a security vulnerability is discovered that affects a Debian package. These advisories, signed by one of the Security Team members, include information of the versions affected as well as the location of the updates. This information is:
version number for the fix.
problem type.
whether it is remote or locally exploitable.
short description of the package.
description of the problem.
description of the exploit.
description of the fix.
DSAs are published both on
http://www.debian.org/ and in the
http://www.debian.org/security/. Usually this does not happen until the website is rebuilt (every four hours) so they might not be present immediately. The preferred channel is the debian-security-announce mailing list.
Interested users can, however (and this is done in some Debian-related portals) use the RDF channel to download automatically the DSAs to their desktop. Some applications, such as
Evolution
(an email client and personal information assistant) and
Multiticker
(a GNOME applet), can be used to retrieve the advisories automatically. The RDF channel is available at
http://www.debian.org/security/dsa.rdf.
DSAs published on the website might be updated after being sent to the public-mailing lists. A common update is adding cross references to security vulnerability databases. Also, translations
of DSAs are not sent to the security mailing lists but are directly included in the website.
7.2.1. Vulnerability cross references
Advantages of adding cross references to these vulnerability databases are:
it makes it easier for Debian users to see and track which general (published) advisories have already been covered by Debian.
system administrators can learn more about the vulnerability and its impact by following the cross references.
Debian developers understand the need to provide accurate and up to date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE enables us to provide standardized references that allow users to develop a
http://www.cve.mitre.org/compatible/enterprise.html.
The
http://cve.mitre.org project is maintained by the MITRE Corporation and provides a list of standardized names for vulnerabilities and security exposures.
Debian believes that providing users with additional information related to security issues that affect the Debian distribution is extremely important. The inclusion of CVE names in advisories help users associate generic vulnerabilities with specific Debian updates, which reduces the time spent handling vulnerabilities that affect our users. Also, it eases the management of security in an environment where CVE-enabled security tools -such as network or host intrusion detection systems, or vulnerability assessment tools- are already deployed regardless of whether or not they are based on the Debian distribution.
Debian provides CVE names for all DSAs released since September 1998. All of the advisories can be retrieved on the Debian web site, and announcements related to new vulnerabilities include CVE names if available at the time of their release. Advisories associated with a given CVE name can be searched directly through the Debian Security Tracker (see below).
In some cases you might not find a given CVE name in published advisories, for example because: