Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Vulnerability Database Goes Live

Posted by michael on from the got-bugs? dept.

Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."

46 of 142 comments (clear)

  1. Running on PostgreSQL, too... by tcopeland · · Score: 4, Interesting

    ...per the database info page.

    <shameless>
    Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis!
    </shameless>

    --
    The Army reading list
    1. Re:Running on PostgreSQL, too... by Anonymous Coward · · Score: 2, Funny

      Oh! Stop Violent Bondage and Domination

  2. Naming is important by Space+cowboy · · Score: 4, Interesting


    The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.

    Simon

    --
    Physicists get Hadrons!
    1. Re:Naming is important by harikiri · · Score: 2, Funny

      Well as we've seen, the Firefox/Firebird/whatever-it-is-this-month project has no qualms about regular name changes. These guys should go ahead and change it too! ;)

      --
      Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
    2. Re:Naming is important by MyFourthAccount · · Score: 2, Funny

      I agree, I would have called it the 'Open Sores Database'.

  3. Old news by RT+Alec · · Score: 3, Informative

    Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?

    1. Re:Old news by Arathrael · · Score: 5, Insightful

      There's two conflicting maxims when it comes to updating systems:

      'Always apply the latest updates' and 'If it ain't broke, don't fix it'.

      Given that many people are both lazy and ignorant, they like to assume that if it appears to be working, it is, and thus they don't have to update/fix it. I imagine there's a lot of sendmail systems out there unpatched since before 2002. Old news, in terms of serious vulnerabilities, is therefore still highly relevant, since it provides a quick way of pointing and saying: 'Look, it is broken, fix it you lazy muppet'. :-)

      Having said that, those are just the 'most recent entries' on the frontpage in relation to date of entry to the database. I think that's useful to have there so you know what's been added since a previous check.

    2. Re:Old news by CaptainBaz · · Score: 5, Informative

      Not really - it's hard to take, but there really are systems out there who still haven't patched these vulnerabilities!

    3. Re:Old news by pmfp · · Score: 2, Interesting

      Which makes me wonder about Debian, they backport the patches and have a slow release cycle. The systems appear to be old and vulnerable, with only half of it being true... doesn't really match this reporting.

      --

      "So unmerciful is life, that everything afterwards is too late."
    4. Re:Old news by 4rest · · Score: 2, Informative

      Vulnerabilities that exist in OSVDB have a status and each vulnerability requires some work before we hand out the information. The vulnerabilities on the front page are the last ten vulnerabilities that have been deemed complete, and ready for general consumption.

      Check out the FAQ for more information.

  4. securityfocus by Anonymous Coward · · Score: 2, Interesting

    is'nt securityfocus doing that already?

  5. They forgot one. . . by UFNinja · · Score: 5, Funny

    Slashdotting. ;)

  6. Mmmmm.... by jwthompson2 · · Score: 3, Interesting

    No vendor spin on security issues. Now we can know the truth to the best of our ability without corporate FUD, hype or downplay.

    Gotta love technology when it helps get the full-truth out there.

    --
    Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
    1. Re:Mmmmm.... by Bug2000 · · Score: 2, Insightful

      Like spin and hype are a vendor monopol... Is OS spin really better ?

      Spin is everywhere where there is subjectivity.

      --

      É que os desafinados também têm um coração
  7. Can hear MS from here by Phisbut · · Score: 4, Interesting
    I can hear it from here... Microsoft saying "See, Open Source isn't more secure than our stuff... there is a public database that all hackers and crackers can use to exploit known vulnerabilities..."

    How long will it take till they say that?

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming
    1. Re:Can hear MS from here by boarder8925 · · Score: 3, Funny
      How long will it take till they say that?
      If you're calculating time using Windows, it could be as long as 54,367 minutes.
      --
      Keep your eyes to the sky.
    2. Re:Can hear MS from here by kidgenius · · Score: 4, Funny
      There is one out there.

      It's called the Microsoft Knowledge Base

      Yes, that's a joke

    3. Re:Can hear MS from here by MrRuslan · · Score: 3, Interesting

      I tought The Knowledge Base base was limited to mostly microsoft products...What I had in mind was a an independent database for all Windows software because some software causes windows to be worse than it actually is...And not just for bugs but also for general issues and annoyences...Like AOL advertising itself evrywhere after you install winamp or aim, and software changing your hompage and advertising in weired places on your system.

    4. Re:Can hear MS from here by Wavemaker · · Score: 2, Informative

      http://cexx.org has a list of potential threats in popular Windows software as well as ways to counter them, you might want to check it out.

    5. Re:Can hear MS from here by Michalson · · Score: 2, Informative

      Actually there is truth to your statement. Previous it was easier to hide vulnerabilities in open source projects or keep them on some obscure page.

      For instance do a search on Mozilla. They are issuing reports on vulnerabilities in 1.6. That represents a very big hole in Mozilla's normally security model, which relies on keeping all the vulnerability they have a secret for 2 minor versions. If this site starts making public the almost monthly arbitrary code execution vulnerabilities in Mozilla, while a lot of people are still using those versions, it could be a very, very bad thing. With Mozilla becoming an ever more popular browser you could see people starting to make trojan installs and spyware targeted at Mozilla just like it is at IE now.

    6. Re:Can hear MS from here by kernelfoobar · · Score: 2, Informative

      try Windows Vunerability to be more precise. It yields 16,600 hits
      You are comparing a company to Linux. Compare platform to platform instead.

      --
      Here we go again!
    7. Re:Can hear MS from here by kernelfoobar · · Score: 2, Interesting

      I've got to add tho, comparing security based on web search result not very precise.

      --
      Here we go again!
  8. Not really. by FreeLinux · · Score: 3, Informative

    But CERT certainly has been.

  9. This is certainly a good thing. by paroneayea · · Score: 4, Insightful

    I could see many users getting angry over this, thinking this is to the disadvantage of open source technology, but no.... this is clearly an advantage! This database will help ensure that essential bug fixes get worked on immediately.
    So don't flame over this... it will help make open source software more secure!Oh, right, and if you might think to the contrary, that people not knowing about vulnerabilities is the best way to go for security, you clearly need to do more research on the way open source software works, and why it is so effective.

    --
    http://mediagoblin.org/
  10. Cool! by MrFreshly · · Score: 4, Interesting

    This should be done for all types of software...Perhaps developers will be a little more careful with their codeing and end users will be able to see just how secure the software is before they commit to it.

  11. Slashdotted? by luferbu · · Score: 5, Informative

    As it seems to be already /.ed here is the Google cache

  12. Oh, yeah, this'll be *real* useful by 0x0d0a · · Score: 3, Funny

    Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

    --
    May we never see th
    1. Re:Oh, yeah, this'll be *real* useful by rbolkey · · Score: 4, Funny

      "There's a Win 3.11 vulnerability, and ... wow, it's listed as a feature in XP."

    2. Re:Oh, yeah, this'll be *real* useful by AKnightCowboy · · Score: 3, Interesting
      Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

      Why would the data become obsolete after 8 hours? Not everyone runs out and installs the latest version of something for the hell of it you know.

    3. Re:Oh, yeah, this'll be *real* useful by MoonBuggy · · Score: 4, Insightful

      It's unfortunate, however, that DBs like this have a habit of publicising vulnerabilities without telling the software authors first. IMO if you find a problem you should tell the software dev team, give them a chance to fix it and then publicise the vulnerability along with the patch, minimising the impact that crackers could have with the info.

      I do agree that if the software developers are uncooperative then publicise the software problems, worst case scenario with OSS someone else can patch it. What irritates me is when people make a problem public without giving anyone a chance to get a fix out the door.

    4. Re:Oh, yeah, this'll be *real* useful by caudron · · Score: 4, Insightful

      DBs like this have a habit of publicising vulnerabilities without telling the software authors first.

      Seems like they could fill a niche need here by allowing people to report vulnerabilities, but not automatically posting them until a set time after the report date. Then having it automatically notify the vendor of the vulnerability. The vendor could ignore it (in which case after a set interval the issue would go public) or fix it and let it go public sooner.

      Just a thought.

      --
      -Tom
  13. Those poor moderators! by LqqkOut · · Score: 2, Informative
    Kudos to the OSVDB crew!
    I wish you much success on completing your vulnerability update/addition modules so that your moderators' inboxes can have some breathing room!

    With Retina at $995 for 16 IP's, this additional gunpower for OSS will really keep the commercial vendors on their toes.

    Maybe this will create a better turn-around time for M$'s "Security Initiative" too... Oh, wait, it's 4/2!

    --

    -- In Soviet Russia, radio listens to YOU!

  14. Open Source Vulnerability Database Goes Live... by crawdaddy · · Score: 3, Funny

    Open source vulnerability database goes live...and two days later, it goes dead.

    Slashdot - bringing you customizable DDoS attacks for years to come.

  15. Professionalism by schnarff · · Score: 3, Insightful

    I think that this is an excellent concept...I just wish that it were executed well enough that the site wasn't Slashdotted after 25 comments. I mean, damn, we're already trying to shake off the image of being a bunch of amateurs, and having a web site that can't even stand up to moderate traffic doesn't help.

    --
    How To Get Humans To Mars
  16. Charts by bigbaloney · · Score: 2, Funny

    I sure hope they will provide nice charts with statistics like which OS is more secure. Or perhaps a toplist with an approximation of how many users are affected. That would be very useful to the (h|cr)acker community. ;-)

  17. already been done by musikit · · Score: 4, Informative

    you know i hate the company but it has already been done and is most likely a better DB.

    the MITRE Common Vulerability and Exposures DB

    http://www.cve.mitre.org/

    1. Re:already been done by brennz · · Score: 5, Interesting

      The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE

      You would be better off to compare the OSVDB against the ICAT metabase

      The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).

      OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.

      We expect great things from you.

  18. It's alright by Moth7 · · Score: 2, Insightful

    A slashdotting is an honour, not a disgrace ;) The sistes of many commercial adventures have gone down after a couple of comments - hell, some have even gone down while the story is still in "The Distant Future" waiting for the front page. A slashdotting is nothing to be ashamed of.

  19. Finally == Security Focus BIASED as hell by Anonymous Coward · · Score: 4, Interesting

    Security Focus became BIASED as heel from when Symantec bought them. Finally a really neutral source of information. Thank you for doing this guys ...

  20. Re:Disagree by Anonymous Coward · · Score: 5, Insightful

    Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

    And what happens when it isn't being fixed? Vendors have shown time and time again that unless pressure is put upon them, security fixes have a very low priority. Full disclosure is the best method of increasing that priority.

  21. You miss the point. by GirTheRobot · · Score: 5, Insightful

    Customers have a right to know that they are using vulnerable software, and be given the chance to secure themselves in any way possible. When I say customers, that means not only joe sixpack, but the admins of mission-critical and sensitive systems as well. If the vendor is unable or unwilling to fix the problem in a reasonable amount of time, the public should be given the ability to. Security through obscurity is a farce. Script kiddies might take exploit code once it is posted, but the crackers that otherwise know of these exploits are the ones doing the real damage.

    Information can be abused, yes, but personally, I think it is better than ignorance.

    1. Re:You miss the point. by Admetus · · Score: 2, Insightful
      Original poster is not arguing for security by obscurity. He says:

      Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

      He wants you to know that there is a flaw in your "mission-critical and sensitive systems," he just doesn't want the explicit instructions about how to do it.

      The public can take over the responsibility for patching only on Open Source projects. That might be a reason to prefer OSS, but not a reason to make non-OSS more dangerous.

  22. oval.mitre.org by eludom · · Score: 2, Informative

    Yunz may want to look at http://oval.mitre.org
    In addition to listing WHAT the vulnerability is,
    it tries to define standardized methods for determining
    HOW to test for it.

  23. What makes this database "open source" ? by possible · · Score: 4, Insightful

    Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.

    First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".

    Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.

    Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.

    You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.

  24. Re:www.linuxsecurity.com by kernelfoobar · · Score: 3, Informative

    This covers all products all platforms, not just Linux, *BSD etc...

    --
    Here we go again!
  25. Easy livin' by Doc+Ruby · · Score: 5, Insightful

    Where's the OSVDB client, that I install on a host on my LAN, that gets up-to-date security notices selected from queries defined by my local configs? That is the missing layer in OSS SW distribution. Installers, like apt-get, should register installed packages with the local OSVDB.

    The local DB gets queried by the client for installed inventory, queries the remote server. Vulnerable SW is tagged with advisory instructions, including patch URLs, confirmation URLs, and "help me" URLs, as well as the URL of the Internet site with that support and more (discussions, etc). The client sends a notification email to the sysadmin, optionally including clickable HTML to install the patch packages (which are, of course, registered with the local DB). Confirmation reports are easily entered in the HTML interface, pointing at the client, which first posts them to the local DB cache for later analyis, then posts them to the remote OSVDB. Requests for help are passed to tech support, based on a policy config'ed when the client is installed: existing support contracts, filtered marketplace pool, goverment/industry referral service.

    This infrastructure is the natural evolution of the global infosystem. It mirrors the evolution of the cell: we've got a cell (fire)wall already, and the nucleus (sysadmin server) is now growing a membrane (security infrastructure), with tRNA codes (patches) keeping homeostasis (uptime). As the organism (network) is sickened (exploited) by viruses (viruses) and genetic defects (bugs), vaccines (patches) and therapies (upgrades) keep the organism healthy, and reduce the risk of epidemic infection (every few days on the Internet). Once organisms got an immune system, and communities that worked with it, we took over the world from the volcanoes, eventually freeing our brains for human endeavors (gaming, surfing porn, online dating). If developers bundle the straightforward complexity in simple automated tools, the infosystem's health will become as implicit as our own.

    --

    --
    make install -not war