Jeffrey Tadlock wrote:
Thanks for doing a better search than I did! I'm not sure that your numbers are any more meaningful than mine, though, as what we need to do is establish how much vulnerability we'll incur if we use a certain tool. So, to narrow it down like you want to do, we need to find out how many CVE's affect the core + plugins that we'll be using (which seems like it's not going to be a static list until something gets deployed... and probably not even then.)2008/2/21 Toshio Kuratomi <a.badger@xxxxxxxxx>:This is a highly inaccurate measure of security but it's something to look at. I wonder if lkundrak and the security team have a preference for blogging/news software :-) Number of CVEs listed on http://nvd.nist.gov/nvd.cfm wordpress drupal mediawiki zope plone 2008 30 17 1 0 0 2007 64 37 7 2 1 2006 21 39 4 1 3I looked at WordPress a bit this morning as well. I used the same source as Toshio did, but I think I used a slightly different search than him. I used the Advanced search and set the Product to WordPress. That yielded these numbers: 2008: 13 2007: 42 2006: 16
For instance, wordpress was being looked at in part because we may have some responsibility for Fedora.tv in the future (which is a wordpress platform with parts implemented via plugin). Someone wanted to host polls so we started looking at a plugin to do so. Once we get this up and running, the inclination to use the platform for more things will come about as well. Did you say it has gallery plugins? Well, the art team has wanted to host some sort of gallery for quite a while. The uses we put this to is just going to grow.
So knowing that plugins are vulnerable to attack could be very relevant to the discussion at hand. Perhaps some web platform's architectures sandbox plugins so that an exploit in their code is not as dangerous to the system as a whole. Perhaps some systems make it their responsibility to filter all data coming in and all data going out with the plugins sitting behind that layer. Perhaps some developer communities (I'm including the plugin authors here) are more concerned about coding in a secure manner than others. Perhaps some projects are proactive about potential security holes while others are reactive.
Looking at numbers of raw CVEs is a very coarse way to estimate this. I think that the numbers show a quality differential between mediawiki and the others but if we want to evaluate more than that, I think we have to start looking for better criteria like Mark Cox's days of risk and actually evaluating upstream's code.
-Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
