Debian ships with disabled security feature

Debian ships with disabled security feature

Summary: A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released."New installs [of Debian 3.

SHARE:
TOPICS: Open Source, Linux
8
A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released.

"New installs [of Debian 3.1 from CD and DVD]... will not get security updates by default," said Debian developer Colin Watson in an e-mail warning. Installations from floppy disks or network servers were not affected.

Watson apologised and asked vendors to delay burning CDs or DVDs of Debian 3.1, adding an update would be available shortly. However, Steve Langasek -- another member of the release team -- said on his blog it would probably be a day or two before the updated CD and DVD images were available everywhere.

"Whoops," said Langasek. "Don't go pressing those 10,000 copies of [3.1] just yet."

The good news for those who have already installed the operating system is that fixing the problem is a simple matter of replacing an entry in a configuration file.

Version 3.1 has been long anticipated by the Debian community, as it has been three years since the last major release of the software. This cycle is significantly slower than that followed by competing Linux vendors like Red Hat.

Debian is not the only high-profile software project to be forced to fix a dangerous security problem in short order after the time of release.

Netscape fixed two critical flaws in the new version of its browser in a similarly short time frame after it was released late last month. Ironically, Netscape marketed the release as being able to provide users with additional security features not found elsewhere.

Topics: Open Source, Linux

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • I have to complain about a serious misrepresentation. The problem described in this article never exposed any vulnerability in users. It just happened that automatic security updates were not enabled by default, which is not a big issue until there are actual security problems to ****ess, and there were currently none. Therefore of course this should not have happened, but to rate this as a "dangerous security flaw" is at very least an overstatement, given that 1) no computers were left open to attack due to it and 2) it can be fixed straightforwardly as described.
    anonymous
  • No, the "security update feature" is not missing. It just needs to be configured. It's a matter of changing one word in the /etc/apt/sources.list file.
    anonymous
  • So what you are saying is that you need to have good skills in the OS to be able to fix the over sight. Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?
    anonymous
  • "So what you are saying is that you need to have good skills in the OS to be able to fix the over sight."

    If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't follow explicit instructions to edit said text file, sell your computer and get a typewriter.

    "Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?"

    If you can't edit a simple text file, you have no business on a computer. I don't care how much of a newbie you are, if you can't follow explicit instructions to edit said text file, sell your computer and get a typewriter.
    anonymous
  • Oops. Maybe I should sell mine.. My second comment should read:

    "Is this as easy as the automatic updates in other OS's or some command line file manipulation, therefore out of the reach of newbies who want to try it out as an alternative?"

    Unlike an "other" operating system, you don't have to point and click through twelve diffrent menus/dialogs to get to the correct checkbox. Nor do you then need to reboot due to making a change.
    anonymous
  • So Bill what you are saying is the receptionist must be able to directly manipulate a file by following instructions and basically wasting her time much better spent on other things. This was my point. Many business users are not geeks who need or want to manipulate files. This has to be a centrally controlled or administered update. Users should not have any rights to the OS or like files...this is called security
    anonymous
  • I'm sure a receptionist would have no problem following instructions to the letter. Of course, a business user shouldn't have the access to make security changes. This goes for Linux or any other OS - that's what the IT department is for. If your IT dept. needs instructions, you have more to worry about than a simple fix like this.

    You want to centrally controll and administer the update? No problem. This can be done from the desk of the IT tech deligated to do the fix. Or, with a bit of scripting, Debian can be made to look for updated on the server of your choice and easily replace or diff the file. Auto updates? Been in Debian for a while.
    anonymous
  • Bill, you must be one of the few people here who realise running a business is not about what company you bought the OS from, but how you manage it.

    It really doesn't matter where it comes from as all systems, environments etc require administration, maintenance and patching. There is no such thing as a secure OS or configuration of the OS, some more hardened than others etc but it gets down to three things the people, the processes they religiouly follow and the technology
    anonymous