Suggestion for Linux Distro (from PSA: Linux vulnerability)

Peter J. Holzer hjp-python at hjp.at
Wed Apr 13 14:03:00 EDT 2022 

On 2022-04-12 21:03:00 +0200, Marco Sulla wrote:
> On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <hjp-python at hjp.at> wrote:
> > They are are about a year apart, so they will usually contain different
> > versions of most packages right from the start. So the Ubuntu and Debian
> > security teams probably can't benefit much from each other.
> 
> Well, this is what my updater on Lubuntu says to me today:
> 
> Changes for tcpdump versions:
> Installed version: 4.9.3-0ubuntu0.18.04.1
> Available version: 4.9.3-0ubuntu0.18.04.2
> 
> Version 4.9.3-0ubuntu0.18.04.2:
> 
>   * SECURITY UPDATE: buffer overflow in read_infile
>     - debian/patches/CVE-2018-16301.patch: Add check of
>       file size before allocating and reading content in
>       tcpdump.c and netdissect-stdinc.h.
>     - CVE-2018-16301
>   * SECURITY UPDATE: resource exhaustion with big packets
>     - debian/patches/CVE-2020-8037.patch: Add a limit to the
>       amount of space that can be allocated when reading the
>       packet.
>     - CVE-2020-8037
> 
> I use an LTS version. So it seems that Ubuntu benefits from Debian
> security patches.

Why do you think so? Because the release notes mention debian/patches/*.patch?
This may be an artefact of the build process. The build tools for .deb
packages expect all kinds of meta-data to live in a subdirectory called
"debian", even on non-debian systems. This includes patches, at least if
the maintainer is using quilt (which AFAIK is currently the recommended
tool for that purpose).

OTOH tcpdump would be one of the those packages where Ubuntu could use a
Debian patch directly: 4.9.3 has been the latest version for quite some
time (I have it in Debian 9, Ubuntu 18, Debian 10 and Ubuntu 20, but not
in Debian 11 (4.99.0)), so if any of those is patched, the others can
(almost certainly) use the patch with little or no changes). I think
this is rare, though: Packages with frequent security patches tend to
have frequent feature updates, too.

        hp

-- 
   _  | Peter J. Holzer    | Story must make more sense than reality.
|_|_) |                    |
| |   | hjp at hjp.at         |    -- Charles Stross, "Creative writing
__/   | http://www.hjp.at/ |       challenge!"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mail.python.org/pipermail/python-list/attachments/20220413/6ee626e9/attachment.sig>

More information about the Python-list mailing list