Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Debian
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Security === The Debian project handles security through [[Full disclosure (computer security)|public disclosure]]. Debian security advisories are compatible with the [[Common Vulnerabilities and Exposures]] dictionary, are usually coordinated with other free software vendors and are published the same day a vulnerability is made public.<ref>{{Cite web |title=Security Information |url=http://www.debian.org/security/ |url-status=live |archive-url=https://web.archive.org/web/20121031073733/http://www.debian.org/security/ |archive-date=October 31, 2012 |access-date=2008-12-13 |publisher=Debian}}</ref><ref>{{Cite web |date=2014-04-16 |title=Organizations Participating |url=https://cve.mitre.org/compatible/organizations.html#Software%20in%20the%20Public%20Interest,%20Inc. |url-status=live |archive-url=https://web.archive.org/web/20140526085923/http://cve.mitre.org/compatible/organizations.html#Software%20in%20the%20Public%20Interest,%20Inc. |archive-date=May 26, 2014 |access-date=2014-06-05 |publisher=[[Mitre Corporation|MITRE]]}}</ref> There used to be a security audit project that focused on packages in the stable release looking for security bugs;<ref>{{Cite web |date=2014-03-15 |title=Debian Security Audit Project |url=http://www.debian.org/security/audit/ |url-status=live |archive-url=https://web.archive.org/web/20140606223459/https://www.debian.org/security/audit/ |archive-date=June 6, 2014 |access-date=2014-06-04 |publisher=Debian}}</ref> Steve Kemp, who started the project, retired in 2011 but resumed his activities and applied to rejoin in 2014.<ref>{{Cite web |title=Advisories |url=http://www.steve.org.uk/Security/Advisories/ |url-status=live |archive-url=https://web.archive.org/web/20140819084841/http://www.steve.org.uk/Security/Advisories/ |archive-date=August 19, 2014 |access-date=2014-08-18 |publisher=Steve Kemp}}</ref><ref>{{Cite web |title=Steve Kemp |url=https://nm.debian.org/public/person/skx |url-status=live |archive-url=https://web.archive.org/web/20140819084712/https://nm.debian.org/public/person/skx |archive-date=August 19, 2014 |access-date=2014-08-18 |publisher=Debian}}</ref> The ''stable'' branch is supported by the Debian security team; ''oldstable'' is supported for one year.<ref name="securityfaq">{{Cite web |date=2007-02-28 |title=Debian security FAQ |url=http://www.debian.org/security/faq |url-status=live |archive-url=https://web.archive.org/web/20080828054249/http://www.debian.org./security/faq |archive-date=August 28, 2008 |access-date=2008-10-21 |publisher=Debian}}</ref> Although Squeeze is not officially supported, Debian is coordinating an effort to provide [[long-term support]] (LTS) until February 2016, five years after the initial release, but only for the IA-32 and x86-64 platforms.<ref>{{Cite web |last=Larabel |first=Michael |author-link=Michael Larabel |date=2014-04-18 |title=Debian To Maintain 6.0 Squeeze As An LTS Release |url=https://www.phoronix.com/scan.php?page=news_item&px=MTY2NzA |url-status=live |archive-url=https://web.archive.org/web/20161006082828/https://www.phoronix.com/scan.php?page=news_item&px=MTY2NzA |archive-date=October 6, 2016 |access-date=2014-07-21 |publisher=[[Phoronix]]}}</ref> ''Testing'' is supported by the ''testing'' security team, but does not receive updates in as timely a manner as ''stable''.<ref>{{Cite web |title=Debian testing security team |url=http://testing-security.debian.net |url-status=dead |archive-url=https://web.archive.org/web/20081005233623/http://testing-security.debian.net/ |archive-date=October 5, 2008 |access-date=2008-10-31 |publisher=Debian |df=mdy}}</ref> ''Unstable''{{'}}s security is left for the package maintainers.<ref name="securityfaq" /> The Debian project offers documentation and tools to [[hardening (computing)|harden]] a Debian installation both manually and automatically.<ref>{{Cite web |title=Securing Debian Manual |url=http://www.debian.org/doc/user-manuals#securing |url-status=live |archive-url=https://web.archive.org/web/20210128190114/https://www.debian.org/doc/user-manuals#securing |archive-date=January 28, 2021 |access-date=2008-12-13 |publisher=Debian}}</ref> [[AppArmor]] support is available and enabled by default since Buster.<ref>{{Cite web |title=Debian -- News -- Debian 10 "buster" released |url=https://www.debian.org/News/2019/20190706.en.html |url-status=live |archive-url=https://web.archive.org/web/20190707151659/https://www.debian.org/News/2019/20190706.en.html |archive-date=July 7, 2019 |access-date=2019-07-08 |website=www.debian.org}}</ref> Debian provides an optional hardening wrapper, and does not harden all of its software by default using [[GNU Compiler Collection|gcc]] features such as [[Position-independent code|PIE]] and [[buffer overflow protection]], unlike operating systems such as [[OpenBSD]],<ref>{{Cite web |title=Debian Secure by Default |url=http://d-sbd.alioth.debian.org/www/ |url-status=dead |archive-url=https://web.archive.org/web/20041103003535/http://d-sbd.alioth.debian.org/www/ |archive-date=November 3, 2004 |access-date=2011-01-31 |publisher=Debian: SbD}}</ref> but tries to build as many packages as possible with hardening flags.<ref name="new-in-7">{{Cite web |title=Chapter 2. What's new in Debian 7.0 |url=http://www.debian.org/releases/wheezy/i386/release-notes/ch-whats-new.html |url-status=live |archive-url=https://web.archive.org/web/20140606220213/https://www.debian.org/releases/wheezy/i386/release-notes/ch-whats-new.html |archive-date=June 6, 2014 |access-date=2014-05-27 |website=Release Notes for Debian 7.0 (wheezy), 32-bit PC |publisher=Debian}}</ref> In May 2008, a Debian developer discovered that the [[OpenSSL]] package distributed with Debian and derivatives such as [[Ubuntu]] made a variety of security keys vulnerable to a [[random number generator attack]], since only 32,767 different keys were generated.<ref>{{Cite web |date=2008-05-13 |title=DSA-1571-1 openssl: predictable random number generator |url=http://www.debian.org/security/2008/dsa-1571 |url-status=live |archive-url=https://web.archive.org/web/20110309045023/http://www.debian.org/security/2008/dsa-1571 |archive-date=March 9, 2011 |access-date=2008-10-31 |publisher=Debian}}</ref><ref>{{Cite web |title=CVE-2008-0166 |url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |url-status=live |archive-url=https://web.archive.org/web/20140714005052/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |archive-date=July 14, 2014 |access-date=2014-07-21 |publisher=[[Mitre Corporation|MITRE]]}}</ref><ref name="garfinkel">{{Cite magazine |last=Garfinkel |first=Simson |author-link=Simson Garfinkel |date=2008-05-20 |title=Alarming Open-Source Security Holes |url=https://www.technologyreview.com/2008/05/20/220474/alarming-open-source-security-holes/ |access-date=2014-07-21 |magazine=[[MIT Technology Review]]}}</ref> The security weakness was caused by changes made in 2006 by another Debian developer in response to memory debugger warnings.<ref name="garfinkel" /><ref>{{Cite web |date=2006-04-19 |title=valgrind-clean the RNG |url=https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 |url-status=live |archive-url=https://web.archive.org/web/20140806025755/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 |archive-date=August 6, 2014 |access-date=2014-06-21 |publisher=Debian BTS}}</ref> The complete resolution procedure was cumbersome because patching the security hole was not enough; it involved regenerating all affected keys and certificates.<ref>{{Cite web |year=2009 |title=When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability |url=http://cseweb.ucsd.edu/~hovav/dist/debiankey.pdf |url-status=live |archive-url=https://web.archive.org/web/20160304192449/http://cseweb.ucsd.edu/~hovav/dist/debiankey.pdf |archive-date=March 4, 2016 |access-date=2014-06-22 |publisher=[[University of California, San Diego]]}}</ref> Recent versions of Debian have focused more on safer defaults. Debian 10 had AppArmor enabled by default, and Debian 11 improved Secure Boot support and included persistent system journaling. The project is also making all packages reproducible, which helps to ensure software integrity.<ref name="Introduction to Deep Learning VM" />
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)