You are not logged in.

#1 2018-08-10 11:52:05

Hacksaurus_Babu
Member
Registered: 2017-01-21
Posts: 106

Is Arch Linux Vulnerable?

Hey I just have a general question here. One of my friends stated that the reason why he doesn't use Arch Linux because of how vulnerable it is and he redirected to https://security.archlinux.org/. And showed they many common packages that were vulnerable and how long they have been vulnerable, some stretching back to 2016. This is a valid concern, and I just wanted to ask, is Arch Linux really vulnerable?

Offline

#2 2018-08-10 12:31:46

archimboldo
Member
Registered: 2016-03-07
Posts: 232

Re: Is Arch Linux Vulnerable?

Oh really? How 'bout Debian?  wink https://security-tracker.debian.org/tracker/


Rules for problems.
Everyone has problems. Animals have problems. And buildings. And cats, and trees.
Problems are your friends. Treat them well.

Offline

#3 2018-08-10 12:32:26

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 4,092
Website

Re: Is Arch Linux Vulnerable?

Hacksaurus_Babu wrote:

is Arch Linux really vulnerable?

I guess you can see how vulnerable it is, from that webpage... hmm

I clicked on two of the CVEs and compared the Arch Linux status to Red Hat. In Thunderbird, it appears that Red Hat has patched the vulnerability while Arch Linux hasn't (I don't use Thunderbird), and neither Red Hat nor Arch Linux has patched the Linux kernel vulnerability.

What operating system does your security concious friend use?

Offline

#4 2018-08-10 12:33:01

Hacksaurus_Babu
Member
Registered: 2017-01-21
Posts: 106

Re: Is Arch Linux Vulnerable?

My friend uses Ubuntu

Offline

#5 2018-08-10 12:38:09

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Is Arch Linux Vulnerable?


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#6 2018-08-10 12:40:39

archimboldo
Member
Registered: 2016-03-07
Posts: 232

Re: Is Arch Linux Vulnerable?

Oh, some vintage CVE festival wink


Rules for problems.
Everyone has problems. Animals have problems. And buildings. And cats, and trees.
Problems are your friends. Treat them well.

Offline

#7 2018-08-10 12:40:53

Hacksaurus_Babu
Member
Registered: 2017-01-21
Posts: 106

Re: Is Arch Linux Vulnerable?

Holy crap that 2002 CVE, also I just realized a lot of the packages listed in the Arch Linux CVE are outdated, so hey that makes me feel better lol

Offline

#8 2018-08-10 13:19:28

etnull
Member
From: Hackerland
Registered: 2018-04-26
Posts: 33

Re: Is Arch Linux Vulnerable?

I think an average Arch installation would have less packages installed, therefore it makes it less vulnerable than user friendly distros, even without defining what 'vulnerable' really means.

Offline

#9 2018-08-10 13:26:29

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Is Arch Linux Vulnerable?

By the way, the date in a CVE-number is not completely reliable. You can register blocks of CVEs and only use them months or years later.
https://cve.mitre.org/about/faqs.html#d … _cve_entry

Last edited by progandy (2018-08-10 13:27:25)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#10 2018-08-10 13:32:44

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Is Arch Linux Vulnerable?

You could also compare arch's list to a distro that has no list at all.  Is that other distro then more secure as they aren't aware of any vulnerabilities?

There's one brand of dog food that prides itself on having the fewest recalls of any major brand.  They claim this demonstrates their greater committment to quality and careful selection of ingredients.  They are correct that they have very few recalls - but that's only because they have failed to recall their food when they have had legal and ethical obligations to do so.  They willfully allowed their customers to feed their pets dangerous substances just to avoid having to publicly admit that there was a problem.

There will always be problems.  I'll feed my pup the brand that is honest about their problems and takes steps to correct them, not the one that burries it's head in the sand and pretends everything is just fine.

Any distro that doesn't have a lengthy list of vulnerabilities is either intentionally hiding important information, or is run by those who are too incompetent to recognize and deal with potential vulnerabilities.

So is arch vulnerable?  Yup, damn right it is.

Last edited by Trilby (2018-08-10 13:34:45)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#11 2018-08-10 14:14:01

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 4,092
Website

Re: Is Arch Linux Vulnerable?

I feel pretty safe with Arch Linux. For example, often when I read about a big new security vulnerability on Slashdot at work, I'll go home and find out it has already been patched (officially, upstream) and installed on my computer for some time. Yay for rolling release! cool

Also, reading Slashdot has taught me that when a scary sounding vulnerability is announced, it helps to actually read and actually understand what is actually happening with the exploit. What can sound like the end of the world at first can end up being something like "an attacker can get your sensitive data if they have physical access to the computer and there is no BIOS password set and they install their own firmware" and I'm like, yeah, I don't think that's something I really need to worry about in practice...

Offline

#12 2018-08-10 14:33:30

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: Is Arch Linux Vulnerable?

Hacksaurus_Babu wrote:

Hey I just have a general question here. One of my friends stated that the reason why he doesn't use Arch Linux because of how vulnerable it is and he redirected to https://security.archlinux.org/. And showed they many common packages that were vulnerable and how long they have been vulnerable, some stretching back to 2016. This is a valid concern, and I just wanted to ask, is Arch Linux really vulnerable?

Some thoughts not mentioned in previous posts.

1) Nowadays a lot of vulnerabilities are BS. Consider two examples - one famous issue with systemd executing process with root permissions if specified user does not exists or name is invalid and cryptsetup initrd "hack". In the first case the "CVE" required root permissions in the first place in order to write bogus unit with non-existent/invalid user name. (This bug gained more attention because systemd-hate group exacerbated it). In the second case on some distro initrd was written in a such way that hitting 'Enter' many times causes cryptsetup to drop to rescue root shell (btw, this can be achieved simply by typing bogus parameters to cryptsetup). Access to root shell sounds dangerous except it is not - because anyone with physical access to machine can boot his image with root permissions.

2) The reason behind that many security issues are BS is cyber security gains more money and attention. This trend is global and also occurs in my local country. Everyday there are news from cyber security firms that corporate losses from illegal activity increase even more and more money should be spend on security. Because of this more eyes are put on less error prone code and this reduces marginal benefits. Following recent trend some security issues can be called 'fake'.

3) Arch is actually good in security because of fast updates. In my experience, this is fastest distro in terms of updates. For example, some patches for meltdown and spectre attack arrived within days while in gentoo it occured after week or so. There some arch characteristics which makes updates easier because of less maintenance overhead (at the cost of lacking features from some other distros): only x64 platform, only one set of compilation flags, single compilation policy, limited number of officially supported packages.

P.S. BTW, the numbers that security firms spread sounds off-base and are likely aimed to surprise folks not from finance/economics. They claim billions of $USD of losses but they do not appear on the books (at least not in this scale). In my opinion, they create those losses in a such way: assume from previous example that potential loss of intruder crafting bogus BIOS firmware/initrd cryptsetup is $USD 10 000. Organization has 100 computers, so claimed loss is $USD 1 ml. smile As a more serious example, consider firm which site has 1 ml users audience and which leaks sensitive users' data. If organization is incorporated in country with strict privacy laws, some users could file suit to receive compensation of let say 10 000. Cyber security firms will claim that loss is $10 bln. Tl;dr those losses have nothing to do with actual transactions.

Last edited by mxfm (2018-08-10 14:44:35)

Offline

#13 2018-08-10 14:49:48

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Is Arch Linux Vulnerable?

I think the above is a good summary of how vulnerabilities are often polishing out minor dents and dings and shouldn't be interpreted as catastrophic end-of-the-world tragedies.  But I disagree with the above in assuming the opposite must be true, that these vulnerabilities are BS.  Some may be minor dents/dings, and no one should panic, but they should still be patched up and not considered BS.

If you wish to argue the media protrayal of them, or the public reaction is often BS, then I'd likely agree.  But tracking bugs - even small ones - is just good practice.

Last edited by Trilby (2018-08-10 14:50:36)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#14 2018-08-10 14:51:54

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Is Arch Linux Vulnerable?

drcouzelis wrote:
Hacksaurus_Babu wrote:

is Arch Linux really vulnerable?

I guess you can see how vulnerable it is, from that webpage... hmm

I clicked on two of the CVEs and compared the Arch Linux status to Red Hat. In Thunderbird, it appears that Red Hat has patched the vulnerability while Arch Linux hasn't (I don't use Thunderbird), and neither Red Hat nor Arch Linux has patched the Linux kernel vulnerability.

What operating system does your security concious friend use?

The Thunderbird CVE should probably be updated to "fixed" now that the repositories are incompatible with the logic "in Firefox before 61.0 and Thunderbird before 60.0" due to providing newer versions.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#15 2018-08-10 14:59:44

mxfm
Member
Registered: 2015-10-23
Posts: 163

Re: Is Arch Linux Vulnerable?

Trilby wrote:

I think the above is a good summary of how vulnerabilities are often polishing out minor dents and dings and shouldn't be interpreted as catastrophic end-of-the-world tragedies.  But I disagree with the above in assuming the opposite must be true, that these vulnerabilities are BS.  Some may be minor dents/dings, and no one should panic, but they should still be patched up and not considered BS.

If you wish to argue the media protrayal of them, or the public reaction is often BS, then I'd likely agree.  But tracking bugs - even small ones - is just good practice.

I was talking about media and general public reception, not about patching packages.

Offline

Board footer

Powered by FluxBB