On 27/11/2006 17:44, tjanas (at) austin.rr (dot) com [email concealed] wrote:
> I am evaluating the overall security of Red Hat linux vs Debian. I've been told that Debian has many more vulnerabilities than Red Hat. I've also been told that Red Hat is quicker to release security patches than Debian is for the "stable" release. Can someone point me to a good overall assessment of the two? Using this tool: www.securityfocus.com/bid I see that Debian has 17 pages worth of issues but Red Hat has surprisingly few. Am I misinterpreting the results from this tool?

It depends how fine-grained you want to get. Being very rough-and-ready
about it:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=redhat
Results: 1591

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=debian
Results: 1526

...and, for reference, Fedora:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=fedora
Results: 423

From that, can you derive that Redhat is less secure than Debian? No.
You can only derive that there are more CVE entries for "redhat" than
there are for "debian", but with no more granularity than that.

On the face of it, RedHat releases new versions far more frequently than
Debian (see Fedora) and will, probably, be more likely to have more
vulnerabilities. However, what is the effect of said vulnerabilities?
Are they gaping, remote, root privilege escalation holes
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0010); or are
they more subtle, where a local user with a specific environment can
cause a local DoS attack by accessing a specially crafted filesystem
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0815)?

You need to think about your definition of "security" before making a
move on your assessment. And have a good look around for the various
places this info is available, too.

Graeme
--
Graeme Fowler
Loughborough University

[ reply ]