Re: Analysis vulnerabilities associated to published security advisories, anyone?
On Wed, Mar 09, 2005 at 12:25:06PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> Maybe you've seen it already, but the guys at Ubuntu have done a
> light-weight analysis of the vulnerabilities they have been released since
> "Warty" was released: https://www.ubuntulinux.org/wiki/USNAnalysis
A nice page.
> This analysis does not match the one on ICAT's database
> (http://icat.nist.gov/icat.cfm?function=statistics) but probably is related
> to the fact that a lot of tempfile races have been found and reported
> recently by the Security Audit team.
Yes.
> I would like somebody to do a similar analysis regarding Debian's
> vulnerabilities (Ubuntu vulns are probably a subset of those affecting
> woody). Has anyone enough spare time?
I'd be interested in helping out, it seems like it shouldn't take
too long to break things down into the type of the vulnerability and
local vs. remote.
A simple script I wrote did that for me already - although there are
some fixups required as we seem to have a few different spellings
for different things. eg. sanitizing vs sanitising.
You can see the simple output here along with input and output.
http://people.debian.org/~skx/2005/
I'd be interested in average advisories per week, as well as
classification on the actual output. (Seems like buffer overflows
are still the biggest reported thing for this year - although you've
done a good job at showing temporary file issues).
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
Reply to: