Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site: For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.
I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues. For example, take a look at the page Vulnerability Report: Ubuntu Linux 9.10 on secunia.com (9.10 is Ubuntu Karmic Koala, released on October 29, 2009) and you’ll see a couple of interesting summary statistics as shown here:
Looks good, eh? However, if you take a look at the CVE tracker, you get a view that is a bit different:
You can see the Risk Color Key, but it is about what you’d expect. Red is High or Critical, orange is Medium and yellow is Low. The asterisk means that this is a package maintained by Canonical instead of a 3rd-party.
I didn’t bother to do a count, but I can see that the number of “needed” fixes is somewhat larger than zero, however, I did not see an RED = High vulnerabilities, so I did check on more thing – I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database (ie, http://nvd.nist.gov). I spot-checked a few:
- CVE-2009-4537, kernel, Orange(Medium) by Canonical, High(7.8) by CVSS
- CVE-2009-4565, sendmail, Orange(Medium) by Canonical, High(7.5) by CVSS
- CVE-2010-0408, apache2, Orange(Medium) by Canonical, Medium(5.0) by CVSS
- CVE-2010-0433, openssl, Orange(Medium) by Canonical, Medium(4.3) by CVSS
- CVE-2007-5901, krb5 (kerberos), Yellow(Low) by Canonical, High(10.0) by CVSS
There were 474 CVE entries, so I didn’t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS.