Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Vulnerability Database Goes Live

Posted by michael on from the got-bugs? dept.

Alascom writes "The Open Source Vulnerability Database project has finally gone live. The project aims to provide comprehensive, free and unbiased (no vendor spin) vulnerability information. The database is being incorporated into such fine open source utilities as SNORT and NESSUS."

30 of 142 comments (clear)

  1. Running on PostgreSQL, too... by tcopeland · · Score: 4, Interesting

    ...per the database info page.

    <shameless>
    Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis!
    </shameless>

    --
    The Army reading list
  2. Naming is important by Space+cowboy · · Score: 4, Interesting


    The name implied to me that it is only vulnerabilities in Open Source programs/systems that will be tracked, but reading the FAQ it seems to be that the database itself is open-source, and the database covers all systems. I think they could have named it better.

    Simon

    --
    Physicists get Hadrons!
  3. Old news by RT+Alec · · Score: 3, Informative

    Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?

    1. Re:Old news by Arathrael · · Score: 5, Insightful

      There's two conflicting maxims when it comes to updating systems:

      'Always apply the latest updates' and 'If it ain't broke, don't fix it'.

      Given that many people are both lazy and ignorant, they like to assume that if it appears to be working, it is, and thus they don't have to update/fix it. I imagine there's a lot of sendmail systems out there unpatched since before 2002. Old news, in terms of serious vulnerabilities, is therefore still highly relevant, since it provides a quick way of pointing and saying: 'Look, it is broken, fix it you lazy muppet'. :-)

      Having said that, those are just the 'most recent entries' on the frontpage in relation to date of entry to the database. I think that's useful to have there so you know what's been added since a previous check.

    2. Re:Old news by CaptainBaz · · Score: 5, Informative

      Not really - it's hard to take, but there really are systems out there who still haven't patched these vulnerabilities!

  4. They forgot one. . . by UFNinja · · Score: 5, Funny

    Slashdotting. ;)

  5. Mmmmm.... by jwthompson2 · · Score: 3, Interesting

    No vendor spin on security issues. Now we can know the truth to the best of our ability without corporate FUD, hype or downplay.

    Gotta love technology when it helps get the full-truth out there.

    --
    Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
  6. Can hear MS from here by Phisbut · · Score: 4, Interesting
    I can hear it from here... Microsoft saying "See, Open Source isn't more secure than our stuff... there is a public database that all hackers and crackers can use to exploit known vulnerabilities..."

    How long will it take till they say that?

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming
    1. Re:Can hear MS from here by boarder8925 · · Score: 3, Funny
      How long will it take till they say that?
      If you're calculating time using Windows, it could be as long as 54,367 minutes.
      --
      Keep your eyes to the sky.
    2. Re:Can hear MS from here by kidgenius · · Score: 4, Funny
      There is one out there.

      It's called the Microsoft Knowledge Base

      Yes, that's a joke

    3. Re:Can hear MS from here by MrRuslan · · Score: 3, Interesting

      I tought The Knowledge Base base was limited to mostly microsoft products...What I had in mind was a an independent database for all Windows software because some software causes windows to be worse than it actually is...And not just for bugs but also for general issues and annoyences...Like AOL advertising itself evrywhere after you install winamp or aim, and software changing your hompage and advertising in weired places on your system.

  7. Not really. by FreeLinux · · Score: 3, Informative

    But CERT certainly has been.

  8. This is certainly a good thing. by paroneayea · · Score: 4, Insightful

    I could see many users getting angry over this, thinking this is to the disadvantage of open source technology, but no.... this is clearly an advantage! This database will help ensure that essential bug fixes get worked on immediately.
    So don't flame over this... it will help make open source software more secure!Oh, right, and if you might think to the contrary, that people not knowing about vulnerabilities is the best way to go for security, you clearly need to do more research on the way open source software works, and why it is so effective.

    --
    http://mediagoblin.org/
  9. Cool! by MrFreshly · · Score: 4, Interesting

    This should be done for all types of software...Perhaps developers will be a little more careful with their codeing and end users will be able to see just how secure the software is before they commit to it.

  10. Slashdotted? by luferbu · · Score: 5, Informative

    As it seems to be already /.ed here is the Google cache

  11. Oh, yeah, this'll be *real* useful by 0x0d0a · · Score: 3, Funny

    Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

    --
    May we never see th
    1. Re:Oh, yeah, this'll be *real* useful by rbolkey · · Score: 4, Funny

      "There's a Win 3.11 vulnerability, and ... wow, it's listed as a feature in XP."

    2. Re:Oh, yeah, this'll be *real* useful by AKnightCowboy · · Score: 3, Interesting
      Yeah, this'll be *real* useful. A database with entries that become obsolete after eight hours. "There's a Linux kernel vulnerability, and it...aw, darn." ;-)

      Why would the data become obsolete after 8 hours? Not everyone runs out and installs the latest version of something for the hell of it you know.

    3. Re:Oh, yeah, this'll be *real* useful by MoonBuggy · · Score: 4, Insightful

      It's unfortunate, however, that DBs like this have a habit of publicising vulnerabilities without telling the software authors first. IMO if you find a problem you should tell the software dev team, give them a chance to fix it and then publicise the vulnerability along with the patch, minimising the impact that crackers could have with the info.

      I do agree that if the software developers are uncooperative then publicise the software problems, worst case scenario with OSS someone else can patch it. What irritates me is when people make a problem public without giving anyone a chance to get a fix out the door.

    4. Re:Oh, yeah, this'll be *real* useful by caudron · · Score: 4, Insightful

      DBs like this have a habit of publicising vulnerabilities without telling the software authors first.

      Seems like they could fill a niche need here by allowing people to report vulnerabilities, but not automatically posting them until a set time after the report date. Then having it automatically notify the vendor of the vulnerability. The vendor could ignore it (in which case after a set interval the issue would go public) or fix it and let it go public sooner.

      Just a thought.

      --
      -Tom
  12. Open Source Vulnerability Database Goes Live... by crawdaddy · · Score: 3, Funny

    Open source vulnerability database goes live...and two days later, it goes dead.

    Slashdot - bringing you customizable DDoS attacks for years to come.

  13. Professionalism by schnarff · · Score: 3, Insightful

    I think that this is an excellent concept...I just wish that it were executed well enough that the site wasn't Slashdotted after 25 comments. I mean, damn, we're already trying to shake off the image of being a bunch of amateurs, and having a web site that can't even stand up to moderate traffic doesn't help.

    --
    How To Get Humans To Mars
  14. already been done by musikit · · Score: 4, Informative

    you know i hate the company but it has already been done and is most likely a better DB.

    the MITRE Common Vulerability and Exposures DB

    http://www.cve.mitre.org/

    1. Re:already been done by brennz · · Score: 5, Interesting

      The CVE is "A Dictionary, NOT a Database" of vulnerabilities. It appears you aren't familiar with the CVE

      You would be better off to compare the OSVDB against the ICAT metabase

      The ICAT has some serious shortcomings which makes my work a big PAIN! (try to cross reference a specific vulnerability that matches 10 vulnerabilities).

      OSVDB appears to better personify the open source paradigm in general, as such, I'd like to extend a warm welcome.

      We expect great things from you.

  15. Finally == Security Focus BIASED as hell by Anonymous Coward · · Score: 4, Interesting

    Security Focus became BIASED as heel from when Symantec bought them. Finally a really neutral source of information. Thank you for doing this guys ...

  16. Re:Disagree by Anonymous Coward · · Score: 5, Insightful

    Regardless of the amount of time passed, the general public, or hacker public, does not need to know how to exploit these bugs, only that they exist, and are being fixed, and where to get the newest version.

    And what happens when it isn't being fixed? Vendors have shown time and time again that unless pressure is put upon them, security fixes have a very low priority. Full disclosure is the best method of increasing that priority.

  17. You miss the point. by GirTheRobot · · Score: 5, Insightful

    Customers have a right to know that they are using vulnerable software, and be given the chance to secure themselves in any way possible. When I say customers, that means not only joe sixpack, but the admins of mission-critical and sensitive systems as well. If the vendor is unable or unwilling to fix the problem in a reasonable amount of time, the public should be given the ability to. Security through obscurity is a farce. Script kiddies might take exploit code once it is posted, but the crackers that otherwise know of these exploits are the ones doing the real damage.

    Information can be abused, yes, but personally, I think it is better than ignorance.

  18. What makes this database "open source" ? by possible · · Score: 4, Insightful

    Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.

    First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".

    Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.

    Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.

    You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.

  19. Re:www.linuxsecurity.com by kernelfoobar · · Score: 3, Informative

    This covers all products all platforms, not just Linux, *BSD etc...

    --
    Here we go again!
  20. Easy livin' by Doc+Ruby · · Score: 5, Insightful

    Where's the OSVDB client, that I install on a host on my LAN, that gets up-to-date security notices selected from queries defined by my local configs? That is the missing layer in OSS SW distribution. Installers, like apt-get, should register installed packages with the local OSVDB.

    The local DB gets queried by the client for installed inventory, queries the remote server. Vulnerable SW is tagged with advisory instructions, including patch URLs, confirmation URLs, and "help me" URLs, as well as the URL of the Internet site with that support and more (discussions, etc). The client sends a notification email to the sysadmin, optionally including clickable HTML to install the patch packages (which are, of course, registered with the local DB). Confirmation reports are easily entered in the HTML interface, pointing at the client, which first posts them to the local DB cache for later analyis, then posts them to the remote OSVDB. Requests for help are passed to tech support, based on a policy config'ed when the client is installed: existing support contracts, filtered marketplace pool, goverment/industry referral service.

    This infrastructure is the natural evolution of the global infosystem. It mirrors the evolution of the cell: we've got a cell (fire)wall already, and the nucleus (sysadmin server) is now growing a membrane (security infrastructure), with tRNA codes (patches) keeping homeostasis (uptime). As the organism (network) is sickened (exploited) by viruses (viruses) and genetic defects (bugs), vaccines (patches) and therapies (upgrades) keep the organism healthy, and reduce the risk of epidemic infection (every few days on the Internet). Once organisms got an immune system, and communities that worked with it, we took over the world from the volcanoes, eventually freeing our brains for human endeavors (gaming, surfing porn, online dating). If developers bundle the straightforward complexity in simple automated tools, the infosystem's health will become as implicit as our own.

    --

    --
    make install -not war