Debian ships with disabled security feature

08 June 2005 01:16 PM

Tags: colin watson, release team, linux, debian, steve langasek, sarge, 3.1

A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released.

"New installs [of Debian 3.1 from CD and DVD]... will not get security updates by default," said Debian developer Colin Watson in an e-mail warning. Installations from floppy disks or network servers were not affected.

Watson apologised and asked vendors to delay burning CDs or DVDs of Debian 3.1, adding an update would be available shortly. However, Steve Langasek -- another member of the release team -- said on his blog it would probably be a day or two before the updated CD and DVD images were available everywhere.

"Whoops," said Langasek. "Don't go pressing those 10,000 copies of [3.1] just yet."

The good news for those who have already installed the operating system is that fixing the problem is a simple matter of replacing an entry in a configuration file.

Version 3.1 has been long anticipated by the Debian community, as it has been three years since the last major release of the software. This cycle is significantly slower than that followed by competing Linux vendors like Red Hat.

Debian is not the only high-profile software project to be forced to fix a dangerous security problem in short order after the time of release.

Netscape fixed two critical flaws in the new version of its browser in a similarly short time frame after it was released late last month. Ironically, Netscape marketed the release as being able to provide users with additional security features not found elsewhere.

Talkback (8)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 8 comments

Add your opinion

I have to complain about a serious misrepresentation. The problem described in this article never exposed any vulnerability in users. It just happened that automatic security updates were not enabled by default, which is not a big issue until there are ac Anonymous -- 09/06/05

I have to complain about a serious misrepresentation. The problem described in this article never exposed any vulnerability in users. It just happened that automatic security updates were not enabled by default, which is not a big issue until there are actual security problems to ****ess, and there were currently none. Therefore of course this should not have happened, but to rate this as a "dangerous security flaw" is at very least an overstatement, given that 1) no computers were left open to attack due to it and 2) it can be fixed straightforwardly as described.
No, the "security update feature" is not missing. It just needs to be configured. It's a matter of changing one word in the /etc/apt/sources.list file. Anonymous -- 09/06/05

No, the "security update feature" is not missing. It just needs to be configured. It's a matter of changing one word in the /etc/apt/sources.list file.
So what you are saying is that you need to have good skills in the OS to be able to fix the over sight. Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it Anonymous -- 09/06/05

So what you are saying is that you need to have good skills in the OS to be able to fix the over sight. Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?
"So what you are saying is that you need to have good skills in the OS to be able to fix the over sight." If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't Anonymous -- 09/06/05

"So what you are saying is that you need to have good skills in the OS to be able to fix the over sight."

If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't follow explicit instructions to edit said text file, sell your computer and get a typewriter.

"Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?"

If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't follow explicit instructions to edit said text file, sell your computer and get a typewriter.
Oops. Maybe I should sell mine.. My second comment should read: "Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative Anonymous -- 09/06/05

Oops. Maybe I should sell mine.. My second comment should read:

"Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?"

Unlike an "other" operating system, you don't have to point and click through twelve diffrent menus/dialogs to get to the correct checkbox. Nor do you then need to reboot due to making a change.
So Bill what you are saying is the receptionist must be able to directly manipulate a file by following instructions and basically wasting her time much better spent on other things. This was my point. Many business users are not geeks who need or want to Anonymous -- 10/06/05

So Bill what you are saying is the receptionist must be able to directly manipulate a file by following instructions and basically wasting her time much better spent on other things. This was my point. Many business users are not geeks who need or want to manipulate files. This has to be a centrally controlled or administered update. Users should not have any rights to the OS or like files...this is called security
I'm sure a receptionist would have no problem following instructions to the letter. Of course, a business user shouldn't have the access to make security changes. This goes for Linux or any other OS - that's what the IT department is for. If your IT de Anonymous -- 10/06/05

I'm sure a receptionist would have no problem following instructions to the letter. Of course, a business user shouldn't have the access to make security changes. This goes for Linux or any other OS - that's what the IT department is for. If your IT dept. needs instructions, you have more to worry about than a simple fix like this.

You want to centrally controll and administer the update? No problem. This can be done from the desk of the IT tech deligated to do the fix. Or, with a bit of scripting, Debian can be made to look for updated on the server of your choice and easily replace or diff the file. Auto updates? Been in Debian for a while.
Bill, you must be one of the few people here who realise running a business is not about what company you bought the OS from, but how you manage it. It really doesn't matter where it comes from as all systems, environments etc require administr Anonymous -- 11/06/05

Bill, you must be one of the few people here who realise running a business is not about what company you bought the OS from, but how you manage it.

It really doesn't matter where it comes from as all systems, environments etc require administration, maintenance and patching. There is no such thing as a secure OS or configuration of the OS, some more hardened than others etc but it gets down to three things the people, the processes they religiouly follow and the technology

Add your opinion

Latest Videos

Play now

Rumour mill about Yahoo's future goes into overdrive
ZDNet correspondent Sumi Das talks with Editor in Chief Larry Dignan about the many variables at play in the Y… Watch it now
Google feeling the pinch?
Five things to consider when choosing a Linux distribution
The Buzz Report: Thanks for all the laughs
More videos »

Blogs

Will the NSW Govt put Linux in schools?
The NSW Government's release this week of an expressions of interest tender to give low-cost laptops to every senior public school student in NSW is a big step, but will these systems be Windows or Linux?
Naked Mac versus protected PC: What wins?
What's easier to manage — 200 Mac OS X systems without antivirus or 200 Windows systems running a leading antivirus package?
Dear Telstra: pack up your toys, go home
Rejecting Telstra's proposal, after all, is the only conclusion Conroy can reach: as someone whose entire philosophy is built around transparency and process, he simply cannot keep Telstra as part of the NBN bidding process anymore.
More blogs »

Hot Spot - What's Important

Footy Club switches to Single Business Communications Solution

Connect growing business demands using Next Dimension Working™

Click here to find out more about Telstra's single solution vendor capabilities

Find out how to combine network connectivity with mobile broadband and IP telephony

Reader Services

Essentials

Printer Superguide
Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.
Broadband speedtest
How fast is your Internet connection? Calculate the speed here.
'At the Whiteboard' Video Series
Click here to learn more about Microsoft Windows Server 2008 and Hyper-V technology.
Frost and Sullivan Awards 2008
Congratulations to all the winners from ZDNet Australia

CXO Unplugged

Video 3: Moving IT from servers to service with Virtualisation

Debian ships with disabled security feature

Talkback 8 comments

I have to complain about a serious misrepresentation. The problem described in this article never exposed any vulnerability in users. It just happened that automatic security updates were not enabled by default, which is not a big issue until there are ac Anonymous -- 09/06/05

No, the "security update feature" is not missing. It just needs to be configured. It's a matter of changing one word in the /etc/apt/sources.list file. Anonymous -- 09/06/05

So what you are saying is that you need to have good skills in the OS to be able to fix the over sight. Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it Anonymous -- 09/06/05

"So what you are saying is that you need to have good skills in the OS to be able to fix the over sight." If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't Anonymous -- 09/06/05

Oops. Maybe I should sell mine.. My second comment should read: "Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative Anonymous -- 09/06/05

So Bill what you are saying is the receptionist must be able to directly manipulate a file by following instructions and basically wasting her time much better spent on other things. This was my point. Many business users are not geeks who need or want to Anonymous -- 10/06/05

I'm sure a receptionist would have no problem following instructions to the letter. Of course, a business user shouldn't have the access to make security changes. This goes for Linux or any other OS - that's what the IT department is for. If your IT de Anonymous -- 10/06/05