9

Doesn't that make the mere act of updating a newly installed Linux instance unsafe, since the initially installed package manager is vulnerable? Am I missing something?

For example, the current Ubuntu 15.10 image dates 21 Oct (http://releases.ubuntu.com/15.10) and the Fedora 23 image dates 30 Oct (http://mirror.cc.vt.edu/pub/fedora/linux/releases/23/Workstation/x86_64/iso). Why is that?

This Ubuntu security advisory says that the 15.10 release is affected: http://www.ubuntu.com/usn/usn-2900-1, but the install image doesn't seem to have been updated ever since it was first released.

My concern is this: as far as I have understood, any application that uses glibc to perform DNS queries is vulnerable, the package manager has to perform DNS queries to find mirrors and runs as root, and the vulnerability has already been known for a while.

Do apt and RPM use a different library for performing their DNS queries, or are there some defenses in place to prevent this vulnerability from being exploited?

Is it that the distros' security teams simply can't cope with the amount of vulnerabilities discovered every day, i.e. "Using a computer? Expect trojans/rootkits!" is the reality of computer security that has to be accepted?

lamefun
  • 193
  • 5
  • 1
    You are supposed to patch, harden, and test your boxes before putting them into production. If your idea of security is to install Ubuntu and that's it, then no amount of keeping up with patches by the vendor is going to help. – Marcin Feb 25 '16 at 21:32
  • For the same reason Windows and Macintosh install archives aren't updated... And those companies have the paid workforce to do it. Always start anything up behind a firewall, and run system update as the first or second operation the system will execute no matter what your choice of poison. – Fiasco Labs Feb 26 '16 at 00:47

1 Answers1

4

Maintaining a distribution is Hard Work. It takes a lot of logistics to test the software packages,upgrade them, communicate with downstream developers, etc.

The install disk is the first experience a user has with the software, and it simply has to work. If it doesn't, the user isn't installing the software. So that's why distributions only make point releases and upgrade the install software every so often. If you had to rebuild the software at every security update, you'd be doing that so often you'd likely have quality control issues far more often that would be acceptable.

I'd say you're correct that the software would be vulnerable on first install. This is a tradoff the distribution maintainers have (likely) weighed and accepted. Upon install, generally the first thing that happens is updating the software. There's some small risk that during this period, someone might be able to take advantage of the glibc vulnerability. The only DNS lookups that would happen before the glibc vulnerability was patched would be mirror sites, so an attacker would either have to control this, or perform a MiTM attack.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76