First, I just love the Bubba, great little gadget.
A slight concern though..
If I understand things correctly, the central Debian repositories are turned off by default, in order to give Excito a controlled way of maintaining the Bubba's unique environment. (?)
But doesn't that also mean that Bubba users don't get the latest security fixes (and similar incremental patches) that are added to the central repositories?
Looking at a site like http://www.linuxsecurity.com, there are quite a few vulnerabilities reported each week. These are in most cases fairly quickly added to the central repositories, but are they also added to Excito's repository? If not, wouldn't any Bubba user having their Bubba accessible from the Internet be more exposed to attacks using these newly discovered vulnerabilities?
The background for my question is that I want to understand what risks I take when using my Bubba for example as an Internet accessible web, email or file server.
Thx,
/MD
New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Security of Bubba wrt recently discovered threats
-
mountaindude
- Posts: 57
- Joined: 25 Aug 2007, 11:56
mountaindude,
You are correct in this being a problem. The main reason that we turned of other sources than our own is to be able to do upgrades via the web-admin ui. Which at times will not work when upgrading packages requiring manual configuration.
The only way we could make this possible would be by provide a complete source repository and maintain all those packages ourself. Which Excito unfortunately dont have the resources to handle yet. We do however update our install image regularly with the latest updates.
This of course makes Bubba somewhat more vulnerable for attacks than a completely updated system. A note however is that most of these vulnerabilities are of the type buffer-overflows and alike. Exploiting the ability to execute malicious code on the target. This code is almost always written for normal X86 PCs. Making Bubba survive most of these.
That said. If one wants to stay on the safer side, one should do security updates once in a while. Unfortunately these will have to be done on the command line and require some Linux knowledge. This will be somewhat easier with the upcomming Excito Etch release that will be a bit more clean in its install.
/Tor
You are correct in this being a problem. The main reason that we turned of other sources than our own is to be able to do upgrades via the web-admin ui. Which at times will not work when upgrading packages requiring manual configuration.
The only way we could make this possible would be by provide a complete source repository and maintain all those packages ourself. Which Excito unfortunately dont have the resources to handle yet. We do however update our install image regularly with the latest updates.
This of course makes Bubba somewhat more vulnerable for attacks than a completely updated system. A note however is that most of these vulnerabilities are of the type buffer-overflows and alike. Exploiting the ability to execute malicious code on the target. This code is almost always written for normal X86 PCs. Making Bubba survive most of these.
That said. If one wants to stay on the safer side, one should do security updates once in a while. Unfortunately these will have to be done on the command line and require some Linux knowledge. This will be somewhat easier with the upcomming Excito Etch release that will be a bit more clean in its install.
/Tor
Co-founder OpenProducts and Ex Excito Developer
-
mountaindude
- Posts: 57
- Joined: 25 Aug 2007, 11:56
tor,
You guys do a truly great job - don't get me wrong.
And I agree, mirroring the entire repositories is a pretty big task to take on..
You're probably also right about Windows machines being more likely targets.
The background for my question was just to make sure I understood things correctly with respect to the security situation, what the options are etc.
Thx
You guys do a truly great job - don't get me wrong.
And I agree, mirroring the entire repositories is a pretty big task to take on..
You're probably also right about Windows machines being more likely targets.
The background for my question was just to make sure I understood things correctly with respect to the security situation, what the options are etc.
Thx
-
mountaindude
- Posts: 57
- Joined: 25 Aug 2007, 11:56
if i'm not wrong it is a wrapper that call "apt-get upgrade".
if you only have excito's repository, it will update against them.
If you have debian's, it will update again debian. The problem is, many packages require user input that cannot be given in a web application, and so the process would likely hang.
That's one of the reason they're disabled (if i got it right).
if you only have excito's repository, it will update against them.
If you have debian's, it will update again debian. The problem is, many packages require user input that cannot be given in a web application, and so the process would likely hang.
That's one of the reason they're disabled (if i got it right).
-
mountaindude
- Posts: 57
- Joined: 25 Aug 2007, 11:56
I just installed the latest security patches on my bubba. There were 19 of them available in debian sarge repositories, none of them in excito's repository yet:
To do it you have to login as root (su), uncomment the following 3 lines in the /etc/apt/sources.list file:
Then do following (still as root):
It can take a while, especially the upgrade.
Then comment again the 3 above lines in the /etc/apt/sources.list file.
And then again:
Do it at your own risk! It should be safe and I installed the last security patches myself, but I cannot guarantee, that there are no side effects or conflicts with the excito's standard upgrade procedure. As far as I can tell everything seems to be all right, though.
Code: Select all
Get:1 http://security.debian.org sarge/updates/main libisc7 1:9.2.4-1sarge3 [157kB]
Get:2 http://security.debian.org sarge/updates/main libdns16 1:9.2.4-1sarge3 [466kB]
Get:3 http://security.debian.org sarge/updates/main bind9-host 1:9.2.4-1sarge3 [94.1kB]
Get:4 http://security.debian.org sarge/updates/main liblwres1 1:9.2.4-1sarge3 [90.4kB]
Get:5 http://security.debian.org sarge/updates/main dnsutils 1:9.2.4-1sarge3 [159kB]
Get:6 http://security.debian.org sarge/updates/main file 4.12-1sarge2 [28.9kB]
Get:7 http://security.debian.org sarge/updates/main libmagic1 4.12-1sarge2 [232kB]
Get:8 http://security.debian.org sarge/updates/main libkrb53 1.3.6-2sarge5 [329kB]
Get:9 http://security.debian.org sarge/updates/main php4-mysql 4:4.3.10-22 [20.6kB]
Get:10 http://security.debian.org sarge/updates/main libapache2-mod-php4 4:4.3.10-22 [1592kB]
Get:11 http://security.debian.org sarge/updates/main php4-common 4:4.3.10-22 [169kB]
Get:12 http://security.debian.org sarge/updates/main libexif10 0.6.9-6sarge1 [77.2kB]
Get:13 http://security.debian.org sarge/updates/main libid3-3.8.3 3.8.3-4.1sarge1 [204kB]
Get:14 http://security.debian.org sarge/updates/main libpq3 7.4.7-6sarge5 [125kB]
Get:15 http://security.debian.org sarge/updates/main php4 4:4.3.10-22 [1146B]
Get:16 http://security.debian.org sarge/updates/main samba 3.0.14a-3sarge6 [2559kB]
Get:17 http://security.debian.org sarge/updates/main samba-common 3.0.14a-3sarge6 [2010kB]
Get:18 http://security.debian.org sarge/updates/main xpdf-utils 3.00-13.7 [1280kB]
Get:19 http://security.debian.org sarge/updates/main xpdf-common 3.00-13.7 [56.6kB]
Code: Select all
deb http://ftp.se.debian.org/debian/ sarge main
deb http://security.debian.org/ sarge/updates main
deb http://ftp.se.debian.org/debian/ sarge non-freeThen do following (still as root):
Code: Select all
apt-get update
apt-get upgrade
Then comment again the 3 above lines in the /etc/apt/sources.list file.
And then again:
Code: Select all
apt-get update