this post was submitted on 30 Mar 2024
76 points (93.2% liked)

Linux

48376 readers
1615 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Do you rely on mailing lists or news articles for security vulnerabilities? Please share.

I only got to know about xz/liblzma ^[1] and curl ^[2] ^[3] vulnerabilities through lemmy (maybe because of high severity?).

top 34 comments
sorted by: hot top controversial new old
[–] bjoern_tantau@swg-empire.de 42 points 8 months ago (1 children)

I do regular automated updates. For anything requiring human intervention like the xz thing I trust Lemmy and YouTube to keep me updated. No dedicated news source because if I were to freak out about every new vulnerability found I wouldn't be able to sleep at night.

[–] delirious_owl@discuss.online 1 points 8 months ago (1 children)

Why does the xz thing require human intervention?

[–] bjoern_tantau@swg-empire.de 4 points 8 months ago

If you had it on a computer that is accessible via SSH from the internet you should proceed under the assumption that it was compromised. Which means you should reinstall from a safe medium and change your keys and passwords.

[–] andrewd18@midwest.social 15 points 8 months ago (2 children)
[–] PlexSheep@feddit.de 4 points 8 months ago

Didn't know this existed. Just subscribed. Thanks

[–] Pika@sh.itjust.works 2 points 8 months ago

you just made me look for my distros security list, I never even thought of that!

[–] Trent@lemmy.ml 13 points 8 months ago

Fediverse and RSS mostly.

[–] brunacho@scribe.disroot.org 11 points 8 months ago (1 children)

My distribution (archlinux) notifies of critical vulnerabilities that require user action. There's a news mailing list.

After that I rely on social network (Mastodon mostly) or lemmy for news, as vulnerabilities often get some conversation. Apart from that, software i'm really interested in I also follow through RSS so I get news when they update for their vulnerabilities -that is when the vulnerabilities are not self inflicted as the xz case-.

[–] EddyBot@feddit.de 4 points 8 months ago

Arch Linux (like some other distros) also has a security tracker: https://security.archlinux.org/

[–] PlexSheep@feddit.de 9 points 8 months ago* (last edited 8 months ago)

I didn't really consider that there are feeds for such things, especially for my distro(s). Embarrassing, but it means you helped making me safer!

I'm now subscribed to the Debian security list, seeing as all my servers run Debian. I just had unattended upgrades with Mail logs before.

[–] LastoftheDinosaurs@reddthat.com 6 points 8 months ago

I rely on notifications from glsa-check or my distro's package manager. I was notified about a problem with xz-utils on Thursday evening, but didn't see anyone post about it until Friday morning.

glsa-check is a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.

[–] Mikelius@lemmy.ml 6 points 8 months ago

I tend to find out about vulnerabilities before it hits the news outlets from the rss feed at https://seclists.org/oss-sec/

Other than that, I've got a bunch of other security feeds I follow and also have automated updates with just about everything.

[–] eveninghere@beehaw.org 6 points 8 months ago (1 children)

Seeing my colleagues, I fear that the answer from them is "That's the neat part, you don't!"

[–] LastoftheDinosaurs@reddthat.com 4 points 8 months ago (1 children)

Same here. Our servers are so out of date that we might not have a version of xz with any commits from Jia Tan at all.

[–] delirious_owl@discuss.online 1 points 8 months ago

I don't think up-to-date Debian stable even got it before it was discovered. No prod servers should be affected

[–] lurch@sh.itjust.works 5 points 8 months ago

the worst ones end up on https://slashdot.org/ e.g.:

https://m.slashdot.org/story/426644

I read it like twice per day. However, my software updates should fix most automatically without me even knowing what was going on.

[–] Vilian@lemmy.ca 4 points 8 months ago

i subscribed for fedora mailist a few days ago and their talk awas helpful for me to notice that i was one of the affected, just subscribe to your distro blog/mail/etc

[–] delirious_owl@discuss.online 4 points 8 months ago (1 children)

I just use unattended-upgrades and forget about it

[–] corsicanguppy@lemmy.ca 5 points 8 months ago* (last edited 8 months ago)

Same for the RPM ecosystem: yum-cron and walk away. Been that way for almost 25 years.

Having been involved with OS Security in the middle of my career, I also still watch feeds like I used to; just, different ones, now.

[–] lemmyreader@lemmy.ml 3 points 8 months ago

Found out about the xz one on Lemmy. Years ago I was briefly subscribed to Bugtraq but that was too much. Now I'm subscribed to a few OS specific security announcement mailing lists.

[–] AlphaAutist@lemmy.world 3 points 8 months ago

You can watch rss feeds to follow all CVEs like Microsoft’s https://api.msrc.microsoft.com/update-guide/rss

NIST used to have an rss feed for CVEs but deprecated it recently. They still have other ways you can follow it though https://nvd.nist.gov/vuln/data-feeds

Or if you just want to follow CVEs for certain applications you can host/subscribe to something like https://www.opencve.io/welcome which allows you to filter CVEs from NIST’s National Vulnerability Database (NVD)

[–] KarnaSubarna@lemmy.ml 2 points 8 months ago
[–] treadful@lemmy.zip 2 points 8 months ago

Used to follow the RHEL security lists but they recently retired those as well. Could really use a replacement.

[–] tla@lemmy.world 2 points 8 months ago
[–] BaalInvoker@lemmy.eco.br 2 points 8 months ago (1 children)

I rely on Lemmy and in pacman -Syyu everyday

[–] unhinge@programming.dev 1 points 8 months ago* (last edited 8 months ago) (2 children)

~~Then, what does a package maintainer rely on?~~

Edit: I'm so dumb. It's obvious they'd check original developer's repo or issue tracker. I'm sorry

[–] BaalInvoker@lemmy.eco.br 2 points 8 months ago

I don't know... I guess in mailing lists and pages like RSS feed from main enterprises like SuSE, Red Hat and Canonical

[–] Aradia@lemmy.ml 1 points 8 months ago

You can track this kind of stuff on Mastodon also, join into a security instance (like https://infosec.exchange/explore) or start following them from another instance.

[–] catloaf@lemm.ee 2 points 8 months ago

I don't. I run software whose maintainers I trust to provide regular security updates.

Of course there's some software I have installed that doesn't fit that criteria. But I also minimize my attack surface by exposing the bare minimum and enabling extra security features where I can.

Mainly Phoronix and Lemmy.

[–] JoeKrogan@lemmy.world 1 points 8 months ago

Your distro should havê a security mailing list you van subscribe to

[–] kylian0087@lemmy.dbzer0.com 1 points 7 months ago

I actually have automated security updates on all my servers. Also in general i run greenbone at home that does daily scans of all the VLANS/networks I have at home.

[–] giloronfoo@beehaw.org 1 points 8 months ago

I'm subscribed to https://bugalert.org/ RSS feeds, but it seems they haven't had any activity since October last year.

Does anyone know what happened to them?

[–] slazer2au@lemmy.world 1 points 8 months ago

Lucky I only have to worry about ones from Cisco or FortiNet and both have RSS feeds that I have linked into Slack at work to tell us when a new patch is out or a new psirt is released.