Your distro should havê a security mailing list you van subscribe to
Seeing my colleagues, I fear that the answer from them is “That’s the neat part, you don’t!”
Same here. Our servers are so out of date that we might not have a version of xz with any commits from Jia Tan at all.
I don’t think up-to-date Debian stable even got it before it was discovered. No prod servers should be affected
I do regular automated updates. For anything requiring human intervention like the xz thing I trust Lemmy and YouTube to keep me updated. No dedicated news source because if I were to freak out about every new vulnerability found I wouldn’t be able to sleep at night.
Why does the xz thing require human intervention?
If you had it on a computer that is accessible via SSH from the internet you should proceed under the assumption that it was compromised. Which means you should reinstall from a safe medium and change your keys and passwords.
I rely on Lemmy and in
pacman -SyyueverydayThen, what does a package maintainer rely on?Edit: I’m so dumb. It’s obvious they’d check original developer’s repo or issue tracker. I’m sorry
You can track this kind of stuff on Mastodon also, join into a security instance (like https://infosec.exchange/explore) or start following them from another instance.
I don’t know… I guess in mailing lists and pages like RSS feed from main enterprises like SuSE, Red Hat and Canonical
Found out about the xz one on Lemmy. Years ago I was briefly subscribed to Bugtraq but that was too much. Now I’m subscribed to a few OS specific security announcement mailing lists.
My distribution (archlinux) notifies of critical vulnerabilities that require user action. There’s a news mailing list.
After that I rely on social network (Mastodon mostly) or lemmy for news, as vulnerabilities often get some conversation. Apart from that, software i’m really interested in I also follow through RSS so I get news when they update for their vulnerabilities -that is when the vulnerabilities are not self inflicted as the xz case-.
Arch Linux (like some other distros) also has a security tracker: https://security.archlinux.org/
I’m subscribed to https://bugalert.org/ RSS feeds, but it seems they haven’t had any activity since October last year.
Does anyone know what happened to them?
I didn’t really consider that there are feeds for such things, especially for my distro(s). Embarrassing, but it means you helped making me safer!
I’m now subscribed to the Debian security list, seeing as all my servers run Debian. I just had unattended upgrades with Mail logs before.
I rely on notifications from
glsa-checkor my distro’s package manager. I was notified about a problem withxz-utilson Thursday evening, but didn’t see anyone post about it until Friday morning.glsa-checkis a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.I tend to find out about vulnerabilities before it hits the news outlets from the rss feed at https://seclists.org/oss-sec/
Other than that, I’ve got a bunch of other security feeds I follow and also have automated updates with just about everything.
Used to follow the RHEL security lists but they recently retired those as well. Could really use a replacement.
I just use
unattended-upgradesand forget about itSame for the RPM ecosystem: yum-cron and walk away. Been that way for almost 25 years.
Having been involved with OS Security in the middle of my career, I also still watch feeds like I used to; just, different ones, now.
Lucky I only have to worry about ones from Cisco or FortiNet and both have RSS feeds that I have linked into Slack at work to tell us when a new patch is out or a new psirt is released.
For Ubuntu, I use https://ubuntu.com/security/oval
