Hi, Was noticing one of Josh Bresser's edits to wiki/Security today... (see the forward below). If Secunia's information is incorrect and misleading, misrepresenting the true security status of Fedora distributions, oughtn't we get in touch with Secunia to help coordinate updating their information to make it correct and informative? They claim to welcome feedback: "If you have new information regarding a Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@xxxxxxxxxxxx "Ideas, suggestions, and other feedback is most welcome." It seems that Secunia may be doing us a service, putting a lot of work into informing the public of details about the security status of various Linux distros including Fedora -- work we may not have time to do and so are not doing at the moment. Perhaps we can support their work rather than just putting our heads in the sand and pretending it's not there misrepresenting the security status? (a little later) Okay, now I've actually *looked* at Secunia's pages... Hrm. It looks like Secunia only talks about issues that have releases published, and then only from the fedora-announce-list. They have nothing in their pages about vulnerabilities fixed by Fedora Legacy. (For example, see <http://secunia.com/graph/?type=adv&period=all&prod=2568> for FC1, which Fedora Legacy continues to maintain.) And, since it appears they're only reporting from announcements of fixed packages, of course their little pie charts would show 100% fixed. (For example, see <http://secunia.com/graph/?type=sol&period=all&prod=5251> for Fedora Core 4.) It looks like they're doing no original research at all (like looking at CVE's from cve.mitre.org) to see if distros have any unpatched vulnerabilities ... Does Secunia have folks that can be worked with so their Fedora pages can become reliable enough so we *can* have them linked to as a third-party site in our wiki?? And further, do any of us who work with security issues have *time* to invest in working with them to bring them in line with reality, assuming they're open to suggestions? Regards, David Eisenstein ---------- Forwarded message ---------- From: fedorawiki-noreply@xxxxxxxxxxxxxxxxx To: fedorawiki-noreply@xxxxxxxxxxxxxxxxx Date: Fri, 03 Mar 2006 22:32:50 -0000 Subject: [Fedora Project Wiki] Update of "Security" by JoshBressers Dear Wiki user, You have subscribed to a wiki page or wiki category on "Fedora Project Wiki" for change notification. The following page has been changed by JoshBressers: http://fedoraproject.org/wiki/Security The comment on the change is: The secunia pages are very wrong and misleading. ------------------------------------------------------------------------------ @@ -38, +38 @@ * http://fedoraproject.org/wiki/Presentations - == Third-Party Information == - - Secunia: - * [http://secunia.com/product/5251/ Secunia's Vulnerability Report for Fedora Core 4] - * [http://secunia.com/product/4222/ Secunia's Vulnerability Report for Fedora Core 3] - * [http://secunia.com/product/3489/ Secunia's Vulnerability Report for Fedora Core 2] - * [http://secunia.com/product/2568/ Secunia's Vulnerability Report for Fedora Core 1] - * [http://secunia.com/vendor/3/ Secunia's Red Hat vendor page] - ---- CategoryDocumentation CategorySecurity
