Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug Programming IT Technology

Open Source Vulnerability Database Goes Live 142

Posted by michael from the got-bugs? dept.
Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."
This discussion has been archived. No new comments can be posted.

Open Source Vulnerability Database Goes Live More

Open Source Vulnerability Database Goes Live

Comments Filter:

  • Running on PostgreSQL, too... (Score:5, Interesting)

    by tcopeland ( 32225 ) * <tom AT thomasleecopeland DOT com> on Friday April 02, 2004 @10:39AM (#8746260) Homepage
    ...per the database info [osvdb.org] page.

    <shameless>
    Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis [rubyforge.org]!
    </shameless>

  • Naming is important (Score:5, Interesting)

    by Space cowboy ( 13680 ) * on Friday April 02, 2004 @10:40AM (#8746267) Journal

    The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.

    Simon

  • Old news (Score:4, Informative)

    by RT Alec ( 608475 ) * <alecNO@SPAMslashdot.chuckle.com> on Friday April 02, 2004 @10:40AM (#8746271) Homepage Journal
    Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?

    • Re:Old news (Score:5, Insightful)

      by Arathrael ( 742381 ) on Friday April 02, 2004 @10:55AM (#8746431)

      There's two conflicting maxims when it comes to updating systems:

      'Always apply the latest updates' and 'If it ain't broke, don't fix it'.

      Given that many people are both lazy and ignorant, they like to assume that if it appears to be working, it is, and thus they don't have to update/fix it. I imagine there's a lot of sendmail systems out there unpatched since before 2002. Old news, in terms of serious vulnerabilities, is therefore still highly relevant, since it provides a quick way of pointing and saying: 'Look, it is broken, fix it you lazy muppet'. :-)

      Having said that, those are just the 'most recent entries' on the frontpage in relation to date of entry to the database. I think that's useful to have there so you know what's been added since a previous check.

      • Re:Old news (Score:2, Interesting)

        by pmfp ( 682203 )
        Which makes me wonder about Debian, they backport the patches and have a slow release cycle. The systems appear to be old and vulnerable, with only half of it being true... doesn't really match this reporting.
      • There's two conflicting maxims when it comes to updating systems:
        'Always apply the latest updates' and 'If it ain't broke, don't fix it'.

        The latter maxim also applies to whoever is producing the "update". Espcially if the software in question isn't written in a well structured way. With "sphagetti code" attempting to remove a bug or add a new feature can have all sorts of unwanted effects.

    • Re:Old news (Score:5, Informative)

      by CaptainBaz ( 621098 ) on Friday April 02, 2004 @10:56AM (#8746436) Homepage Journal
      Not really - it's hard to take, but there really are systems out there who still haven't patched these vulnerabilities!

    • Re:Old news (Score:2, Informative)

      by 4rest ( 725123 )
      Vulnerabilities that exist in OSVDB have a status and each vulnerability requires some work before we hand out the information. The vulnerabilities on the front page are the last ten vulnerabilities that have been deemed complete, and ready for general consumption.

      Check out the FAQ for more information. [osvdb.org]

  • securityfocus (Score:2, Interesting)

    by Anonymous Coward
    is'nt securityfocus doing that already?

  • They forgot one. . . (Score:5, Funny)

    by UFNinja ( 726662 ) on Friday April 02, 2004 @10:41AM (#8746277)
    Slashdotting. ;)

  • Mmmmm.... (Score:4, Interesting)

    by jwthompson2 ( 749521 ) * on Friday April 02, 2004 @10:42AM (#8746283) Homepage
    No vendor spin on security issues. Now we can know the truth to the best of our ability without corporate FUD, hype or downplay.

    Gotta love technology when it helps get the full-truth out there.

    • Re:Mmmmm.... (Score:2, Insightful)

      by Bug2000 ( 235500 )
      Like spin and hype are a vendor monopol... Is OS spin really better ?

      Spin is everywhere where there is subjectivity.
    • >No vendor spin on security issues. ... yet.

      If this thing becomes popular you don't think that every profit or non-profit group will use it to enforce their own narrow point of view?
    • Right, because a project with OpenSource in the name is sure not to have any agendas or bias....

      By the way, want to buy some swampland in Florida?

  • Can hear MS from here (Score:4, Interesting)

    by Phisbut ( 761268 ) on Friday April 02, 2004 @10:42AM (#8746285)
    I can hear it from here... Microsoft saying "See, Open Source isn't more secure than our stuff... there is a public database that all hackers and crackers can use to exploit known vulnerabilities..."

    How long will it take till they say that?

    • How long will it take till they say that?
      If you're calculating time using Windows, it could be as long as 54,367 minutes.
    • The irony is it will make the strong, stronger, and the weak weaker. In other areas of society we shunn this, or at least claim to.
    • Heh...Microsoft should get something like that for ms app...like an independant bug traker for windows software so disaster like blackice would be avoided somehow.
    • Isn't that like the Iranian government saying that the U.S. Congress is more corrupt than they because we air all our disagreements and debate on TV?

      I mean, when was the last time we heard a debate amongst the Iranian leaders, the likes of what we see on C-SPAN? Does that mean their system is less volitile than our republic?

      Full disclosure is vital to the security of open systems.

    • Not intended as a troll, but:

      Google for Microsoft Vulnerability" [google.com] yields 4,900 hits.
      Google for "Linux Vulnerability" [google.com] yields 2,470 hits.

      But, if you search another way...
      Google for "Microsoft Exploit" [google.com] yields 993 hits,
      Google for "Linux exploit" [google.com] yields 1880 hits.

      So, it's all in the reporting. I mean, you know and I know that it's not suprising that there might be more hits for linux, cause the linux community tends to shout it loud that there are exploits, and that they're either fixed or being fixed, bu
      • try Windows Vunerability [google.com] to be more precise. It yields 16,600 hits
        You are comparing a company to Linux. Compare platform to platform instead.
        • I've got to add tho, comparing security based on web search result not very precise.
          • Oh, of course not, but i mean, these results can be skewed to say anything you want them to.

            Like the ad that I saw at the ^^ top of slashdot that says "Microsoft windows server 11-22% cheaper in 4 out of 5 operations". But, that's whatever they consider TCO, and possibly not taking into account things like uptimes and reliability, etc. Plus, what about the 5th? Is linux 600% cheaper?

            This is just one of those places that people can get their fuel to fan the fire.
        • And, Windows Exploit [google.com] returns 893,000 hits!

          Whoa, even I didn't expect that...
      • But, if you search another way... Google for "Microsoft Exploit" yields 993 hits, Google for "Linux exploit" yields 1880 hits.

        These numbers don't actually indicate the number of actual exploits...

        So, it's all in the reporting. I mean, you know and I know that it's not suprising that there might be more hits for linux, cause the linux community tends to shout it loud that there are exploits, and that they're either fixed or being fixed,

        The figures could mean that Windows and Linux have similar numbers
    • Actually there is truth to your statement. Previous it was easier to hide vulnerabilities in open source projects or keep them on some obscure page.

      For instance do a search on Mozilla. They are issuing reports on vulnerabilities in 1.6. That represents a very big hole in Mozilla's normally security model, which relies on keeping all the vulnerability they have a secret for 2 minor versions. If this site starts making public the almost monthly arbitrary code execution vulnerabilities in Mozilla, while a lot

  • This is certainly a good thing. (Score:4, Insightful)

    by paroneayea ( 642895 ) on Friday April 02, 2004 @10:43AM (#8746296) Homepage
    I could see many users getting angry over this, thinking this is to the disadvantage of open source technology, but no.... this is clearly an advantage! This database will help ensure that essential bug fixes get worked on immediately.
    So don't flame over this... it will help make open source software more secure!Oh, right, and if you might think to the contrary, that people not knowing about vulnerabilities is the best way to go for security, you clearly need to do more research on the way open source software works, and why it is so effective.
    • And when we have non-disruptive upgrade technology so that the (possibly daily) patches to the thousands of packages included with a system, then we'll start dancing in the streets. Naked.

      All this extra exposure does is make more work for admins - yes, keeping on top of security updates is very important, but the current methodologies don't scale very well.
      • And when we have non-disruptive upgrade technology so that the (possibly daily) patches to the thousands of packages included with a system, then we'll start dancing in the streets. Naked.
        Gentoo's portage does wonders for me in that regard. But I suppose not all sysadmins want to go compiling all their packages to save unnecessary system load. Still, there are similar programs for binary updates.
      • What Linux distro are you using? Fedora Core has up2date, apt and yum. Just type atp-get update && apt-get upgrade and your done. Red Hat has up2date and the Red Hat Network, just run up2date or login to RHN. I can use RHN from any where over SSL and update any of my RH servers. I can organize my RH servers into groups and push out packages/updates as needed by server, by group or all servers. When it is all done, I get a nice summary email. I have never seen an update to RH or Fedora that wo
  • Even thought the site seems a bit slashdotted it looks interesting. Even the open information on how to exploit, even though I'd just love to even get a full article on what makes every exploit possible. I like understanding. However, looks interesting.

  • Cool! (Score:4, Interesting)

    by MrFreshly ( 650369 ) on Friday April 02, 2004 @10:43AM (#8746306)
    This should be done for all types of software...Perhaps developers will be a little more careful with their codeing and end users will be able to see just how secure the software is before they commit to it.
    • Or... we'll stop using computers entirely because the illusion that it's all well written and put together carefully will be stripped away.

  • Slashdotted? (Score:5, Informative)

    by luferbu ( 703405 ) <luferbu@fluids[ ]al.com ['ign' in gap]> on Friday April 02, 2004 @10:44AM (#8746310)
    As it seems to be already /.ed here is the Google cache [66.102.9.104]
    • I hope they get funding or donations to beef up their web serving capability, since if it becomes successful, I'd imagine nearly every slashdot story (and other mass-media coverage) concerning big vulnerabilities will link to their site.

  • Oh, yeah, this'll be *real* useful (Score:3, Funny)

    by 0x0d0a ( 568518 ) on Friday April 02, 2004 @10:48AM (#8746357) Journal
    Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

  • Disagree (Score:1, Insightful)

    by agentx0r ( 675558 )
    I don't agree with "...vendors have this much time to patch..." I don't just disagree with it on this database, but all of them. That is just defeating the whole purpose. "We'll give you this long to fix it, and if not, we release our dogs!" That is inherently stupid, for lack of a better word. Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version. The vend

    • Re:Disagree (Score:5, Insightful)

      by Anonymous Coward on Friday April 02, 2004 @11:13AM (#8746597)

      Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

      And what happens when it isn't being fixed? Vendors have shown time and time again that unless pressure is put upon them, security fixes have a very low priority. Full disclosure is the best method of increasing that priority.

    • You miss the point. (Score:5, Insightful)

      by GirTheRobot ( 689378 ) on Friday April 02, 2004 @11:14AM (#8746607)
      Customers have a right to know that they are using vulnerable software, and be given the chance to secure themselves in any way possible. When I say customers, that means not only joe sixpack, but the admins of mission-critical and sensitive systems as well. If the vendor is unable or unwilling to fix the problem in a reasonable amount of time, the public should be given the ability to. Security through obscurity is a farce. Script kiddies might take exploit code once it is posted, but the crackers that otherwise know of these exploits are the ones doing the real damage.

      Information can be abused, yes, but personally, I think it is better than ignorance.

      • I do agree we have a right to know, but I think we need to go about full disclosure in a different way. I don't think the methods of exploiting a bug need to be revealed in order for them to be fixed. Simply saying "There is a problem with the way badFunction() handles non-ASCII characters causing a core dump" should be sufficient information for anyone with desires to fix the problem, rather than exploit it. Sure, some cases may require more, but I don't think full disclosure is a good idea. You bring up m
        • If it's enough information for a dev to troublshoot and fix it, it's enough information for a cracker to write an exploit for it. Exploit proof of concept code is a convenience for testing the correctness of fixes and it relieves some of the burden on developers. Not posting it would have no effect on script kiddies.

          The idea that you have to be kept ignorant for your own protection is so intellectually and morally bankrupt that it boggles my mind that people keep using it. Of course it's reasonable to noti

      • Original poster is not arguing for security by obscurity. He says:

        Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

        He wants you to know that there is a flaw in your "mission-critical and sensitive systems," he just doesn't want the explicit instructions about how to do it.

        The public can take over the responsibility for patching only on Open Sou

        • I guess I missed his point to an extent myself =)

          It is a very valid point that 95%+ of end-users don't need to have exploit code to know that their software is vulnerable (and I am a member of that group, as I am no developer). The burning question is whether exploit code should be published period. As a matter of principle I think it should, and many would agree with me. Information wants to be free, and we all know there are drawbacks to an open information society.

          In the end, it comes down to dev


        • He wants you to know that there is a flaw in your "mission-critical and sensitive systems," he just doesn't want the explicit instructions about how to do it.

          So what you're describing is not only believing that a vulnerability exists on face value of the claim, but that this vulnerability has also been mitigated based on the face value of a release from the vendor. This ignores several issues.

          First, people do occasionally lie. I like to think that's a rareity. However, it's hard to claim somethin

    • If the vendor isn't fixing the problem, details (DETAILS) about the hole need to be released so the community can.

      That's how this whole, weird 'open source' thingy works.

      Cheers

  • Those poor moderators! (Score:2, Informative)

    by LqqkOut ( 767022 )
    Kudos to the OSVDB crew!
    I wish you much success on completing your vulnerability update/addition modules so that your moderators' inboxes can have some breathing room!

    With Retina [eeye.com] at $995 for 16 IP's, this additional gunpower for OSS will really keep the commercial vendors on their toes.

    Maybe this will create a better turn-around time for M$'s "Security Initiative" too... Oh, wait, it's 4/2!

  • Open Source Vulnerability Database Goes Live... (Score:3, Funny)

    by crawdaddy ( 344241 ) on Friday April 02, 2004 @10:54AM (#8746416)
    Open source vulnerability database goes live...and two days later, it goes dead.

    Slashdot - bringing you customizable DDoS attacks for years to come.

  • Professionalism (Score:4, Insightful)

    by schnarff ( 557058 ) <alex&schnarff,com> on Friday April 02, 2004 @10:56AM (#8746441) Homepage Journal
    I think that this is an excellent concept...I just wish that it were executed well enough that the site wasn't Slashdotted after 25 comments. I mean, damn, we're already trying to shake off the image of being a bunch of amateurs, and having a web site that can't even stand up to moderate traffic doesn't help.

    • It's alright (Score:3, Insightful)

      by Moth7 ( 699815 )
      A slashdotting is an honour, not a disgrace ;) The sistes of many commercial adventures have gone down after a couple of comments - hell, some have even gone down while the story is still in "The Distant Future" waiting for the front page. A slashdotting is nothing to be ashamed of.

  • Charts (Score:2, Funny)

    by bigbaloney ( 767817 )
    I sure hope they will provide nice charts with statistics like which OS is more secure. Or perhaps a toplist with an approximation of how many users are affected. That would be very useful to the (h|cr)acker community. ;-)

  • already been done (Score:5, Informative)

    by musikit ( 716987 ) on Friday April 02, 2004 @11:02AM (#8746496)
    you know i hate the company but it has already been done and is most likely a better DB.

    the MITRE Common Vulerability and Exposures DB

    http://www.cve.mitre.org/

    • Re:already been done (Score:5, Interesting)

      by brennz ( 715237 ) on Friday April 02, 2004 @11:48AM (#8746935)
      The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE

      You would be better off to compare the OSVDB against the ICAT metabase [nist.gov]

      The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).

      OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.

      We expect great things from you.

  • Finally == Security Focus BIASED as hell (Score:4, Interesting)

    by Anonymous Coward on Friday April 02, 2004 @11:06AM (#8746538)
    Security Focus became BIASED as heel from when Symantec bought them. Finally a really neutral source of information. Thank you for doing this guys ...

  • Checklist (Score:1, Interesting)

    by Anonymous Coward
    what about security checklists, are there any? I mean when making a fresh install, after aplying all patches, what settings should be changed? For example restrictanonumous or nolmhash in WinXP, stuff like that.
    • If you are looking for security checklists/hardening guides, NIST releases the combined NSA/DISA guidance here [nist.gov]. Unfortunately, it is commercial OS centric, the Linux coverage woeful, the *BSD coverage nonexistent :(

      Don't go to CI$ - they are basically repackaging DISA/NSA guidance, then charging for it!

  • A good idea (Score:1, Interesting)

    by PingKing ( 758573 )
    Is it a good idea to have a one-stop shop for potential crackers out there? Do the benefits really outweigh the fact that it's just gotten a hell of a lot easier to find a vulnerability in someone's server?
    • Ok, one more time: Obscurity does not create security. Assume the crackers already know the vulnerabilities. This is to allow the "white hats" to defend themselves.
  • Nessusing their site right now is missing something that it definately should have reported.

    Vulnerability to Slashdotting DDoS: High.
  • "The web server behind http://www.osvdb.org doesn't handle high traffic well enough".

  • oval.mitre.org (Score:2, Informative)

    by eludom ( 83727 )
    Yunz may want to look at http://oval.mitre.org
    In addition to listing WHAT the vulnerability is,
    it tries to define standardized methods for determining
    HOW to test for it.

  • What makes this database "open source" ? (Score:5, Insightful)

    by possible ( 123857 ) on Friday April 02, 2004 @01:08PM (#8747650)

    Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.

    First, the licensing terms [osvdb.org] Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc. [digitaldefense.net], a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".

    Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.

    Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.

    You know, there are non-trivial, free (GFDL) databases [wikipedia.org] out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.

    • Why in the good god of water does one need to make a derivative work of a report that says "this library has a major flaw, be warned"
  • Here is the canned quote, bereft of a single soundbite, which goes to show just how important this deal is to the company.

    "This agreement will be of significant benefit to both Sun and Microsoft customers. It will stimulate new products, delivering great new choices for customers who want to combine server products from multiple vendors and achieve seamless computing in a heterogeneous computing environment. We look forward to this opportunity - it provides a framework for cooperation between Sun and Micro

  • Easy livin' (Score:5, Insightful)

    by Doc Ruby ( 173196 ) on Friday April 02, 2004 @02:56PM (#8748825) Homepage Journal
    Where's the OSVDB client, that I install on a host on my LAN, that gets up-to-date security notices selected from queries defined by my local configs? That is the missing layer in OSS SW distribution. Installers, like apt-get, should register installed packages with the local OSVDB.

    The local DB gets queried by the client for installed inventory, queries the remote server. Vulnerable SW is tagged with advisory instructions, including patch URLs, confirmation URLs, and "help me" URLs, as well as the URL of the Internet site with that support and more (discussions, etc). The client sends a notification email to the sysadmin, optionally including clickable HTML to install the patch packages (which are, of course, registered with the local DB). Confirmation reports are easily entered in the HTML interface, pointing at the client, which first posts them to the local DB cache for later analyis, then posts them to the remote OSVDB. Requests for help are passed to tech support, based on a policy config'ed when the client is installed: existing support contracts, filtered marketplace pool, goverment/industry referral service.

    This infrastructure is the natural evolution of the global infosystem. It mirrors the evolution of the cell: we've got a cell (fire)wall already, and the nucleus (sysadmin server) is now growing a membrane (security infrastructure), with tRNA codes (patches) keeping homeostasis (uptime). As the organism (network) is sickened (exploited) by viruses (viruses) and genetic defects (bugs), vaccines (patches) and therapies (upgrades) keep the organism healthy, and reduce the risk of epidemic infection (every few days on the Internet). Once organisms got an immune system, and communities that worked with it, we took over the world from the volcanoes, eventually freeing our brains for human endeavors (gaming, surfing porn, online dating). If developers bundle the straightforward complexity in simple automated tools, the infosystem's health will become as implicit as our own.
  • Am I the only one that likes browsing entries by the order in which they were created?
  • Expect them to be taken down soon due to a law suit
  • The content is rather small with only 1878 entries. The ICAT [nist.gov] database, however, is mature with 6548 entries.
  • I like the idea behind this project, but there are a couple of problems here:

    1) They don't provide an easy way fo downloading the database. You have to accept their license to download it before getting the real thing. ICAT and CVE Mitre don't put such restrictions to use their databases.
    2) The database schema is made for PostgreSQL: This is cool and all, but I don't wanna be tied or tie my tool with a particular database; What if I want to use MySQL or Sybase or Oracle or MSSQLServer?. They should allow y
    • 1. The Mitre CVE is "A Dictionary, NOT a Database".

      2. The ICAT Metabase is seriously flawed, even more so than the CVE.

      3. The Schema may be for PostgreSQL, but the contents should be ANSI SQL compliant. Gee, so hard?

      4. Are you even familiar with the CVE or ICAT? I think not.

  • How long 'til the sophistication of the database and the sophistication of a virus merge at a point where we have a virus that can consult the database and implement the vulnerabilities documented within?

    Or, more likely, how long 'til they publish a vulnerability that they have failed to protect against?

Slashdot Top Deals

BLISS is ignorance.

Close