On Thu, 2008-02-21 at 13:13 -0500, Jeffrey Tadlock wrote: > 2008/2/21 Toshio Kuratomi <a.badger@xxxxxxxxx>: > > This is a highly inaccurate measure of security but it's something to > > look at. I wonder if lkundrak and the security team have a preference > > for blogging/news software :-) > > > > Number of CVEs listed on http://nvd.nist.gov/nvd.cfm > > wordpress drupal mediawiki zope plone > > 2008 30 17 1 0 0 > > 2007 64 37 7 2 1 > > 2006 21 39 4 1 3 > > I looked at WordPress a bit this morning as well. I used the same > source as Toshio did, but I think I used a slightly different search > than him. I used the Advanced search and set the Product to > WordPress. That yielded these numbers: > > 2008: 13 > 2007: 42 > 2006: 16 > > If you search the vuln database for just wordpress it pulls in a lot > of plugins for WordPress that have issues. Even the search I did > pulled in results for plugins for WordPress and not just core > WordPress components. So I went through 2008 and 2007 to see which > results in my search affected core WordPress bits and which were for > optional plugins. Those results were: > > 2008: 7 > 2007: 36 > > Several of the hits for those two years had been for things like > custom themes someone had provided or guest books or an image gallery. > > I also looked briefly at versions affected as well. Just using 2008 > as an example, there were still 7 security issues listed for core > WordPress components so far. But if you figure you probably shouldn't > still be running a 2.0.x version or 2.1.x version of WordPress in 2008 > then another 5 CVE's drop off the list leaving 2008 at 2 CVEs. > > To be fair, I only looked this closely at WordPress. It is quite > likely Drupal's numbers would drop if I looked through those results > and made decisions on which affected core bits and which affected > plugins to Drupal. Like Toshio already said, this isn't the greatest > way to determine the security of an app. > > > These numbers show a big difference between mediawiki and drupal or > > wordpress. The questions are just how valid the numbers are and whether > > we're confident that the combination of SELinux (which we will then > > depend on; no more turning it off if we can't figure out a problem) and > > mod_security will keep our servers and users of the sites safe from the > > exploits that will appear. > > With any application we provide we need to consider security. I think > SELinux is a valid means to help prevent damage from 0-day flaws as is > mod_security. They are tools in the toolkit we can use to help reduce > our attack surface. If we do move to PHP based apps, we could also > consider looking at suhosin [1] as another tool for the toolbox. > Let's not, ever, say we're considering going to php based apps. I don't mind deploying a few but I'll be damned if I'll ever 'go to php' as a language. -sv _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
