2008/2/21 Toshio Kuratomi <a.badger@xxxxxxxxx>: > This is a highly inaccurate measure of security but it's something to > look at. I wonder if lkundrak and the security team have a preference > for blogging/news software :-) > > Number of CVEs listed on http://nvd.nist.gov/nvd.cfm > wordpress drupal mediawiki zope plone > 2008 30 17 1 0 0 > 2007 64 37 7 2 1 > 2006 21 39 4 1 3 I looked at WordPress a bit this morning as well. I used the same source as Toshio did, but I think I used a slightly different search than him. I used the Advanced search and set the Product to WordPress. That yielded these numbers: 2008: 13 2007: 42 2006: 16 If you search the vuln database for just wordpress it pulls in a lot of plugins for WordPress that have issues. Even the search I did pulled in results for plugins for WordPress and not just core WordPress components. So I went through 2008 and 2007 to see which results in my search affected core WordPress bits and which were for optional plugins. Those results were: 2008: 7 2007: 36 Several of the hits for those two years had been for things like custom themes someone had provided or guest books or an image gallery. I also looked briefly at versions affected as well. Just using 2008 as an example, there were still 7 security issues listed for core WordPress components so far. But if you figure you probably shouldn't still be running a 2.0.x version or 2.1.x version of WordPress in 2008 then another 5 CVE's drop off the list leaving 2008 at 2 CVEs. To be fair, I only looked this closely at WordPress. It is quite likely Drupal's numbers would drop if I looked through those results and made decisions on which affected core bits and which affected plugins to Drupal. Like Toshio already said, this isn't the greatest way to determine the security of an app. > These numbers show a big difference between mediawiki and drupal or > wordpress. The questions are just how valid the numbers are and whether > we're confident that the combination of SELinux (which we will then > depend on; no more turning it off if we can't figure out a problem) and > mod_security will keep our servers and users of the sites safe from the > exploits that will appear. With any application we provide we need to consider security. I think SELinux is a valid means to help prevent damage from 0-day flaws as is mod_security. They are tools in the toolkit we can use to help reduce our attack surface. If we do move to PHP based apps, we could also consider looking at suhosin [1] as another tool for the toolbox. Thanks, Jeffrey [1] http://www.hardened-php.net/suhosin/ _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
