One thing I don't like about Fedora is slow security updates

January 31, 2016

I generally like Fedora, but there are things that they don't seem to do well. Unfortunately one of them is prompt security updates, especially for nominally supported but not current versions (such as Fedora 22 right now).

At the best of times I can generally expect a multi-day delay for security updates. Consider OpenSSL CVE-2016-0701. This was warned about in advance and announced on Thursday. Most distributions had immediate updates out that day (Ubuntu, for example). Fedora got an update out for Fedora 23 only on the weekend (I'm not clear if it became available Saturday or Sunday). It's not just OpenSSL, either; I've seen similar delays for OpenSSH, the kernel, and other things that I've heard security announcements about.

Worse is the current situation with Fedora 22, as far as I can see. I noticed this recently because I noticed that my Fedora 22 machine had not been rebooted in over 30 days. I assure you that there have been Linux kernel security issues in the past 30 days that apply to the Fedora 22 kernel, because Fedora 23 uses basically the same kernel and has had a series of kernel updates over that time. Yes, Fedora 22 is not the current version, but in theory it is still supported.

(Fedora 22 may also be missing other security updates. I normally don't really keep track of security issues to the level of checking whether I have a vulnerable package and whether it's been updated; that's something I delegate to my distribution. I notice kernels because I notice reboots being needed due to them.)

Of course Fedora never promised us Fedora users anything in particular. It's open source so I get to keep all of the pieces. I'm just glad that I only run Fedora on my personal machines, which are relatively locked down, and I don't have any Fedora servers.

(At this point I would strongly advise against running Fedora on servers for the obvious reasons. Use something like Debian, or Ubuntu if you have to and don't care about Canonical's increasingly questionable behavior.)

Comments on this page:

From at 2016-02-04 19:21:42:

FWIW, I find Fedora's bodhi page to have comprehensive information about issued updates.

Using the page of the latest OpenSSL update for F22, you can see that it was submitted on Thursday, pushed to testing on Friday and pushed to stable on Saturday.

The kernel page is a little more surprising. It shows the last update for the kernel was 3 days ago (that's in testing right now) and the previous update was 10 days ago. Maybe you're hitting a frozen mirror and that's why you're not seeing updates?

HTH, Emmanuel

By cks at 2016-02-04 19:44:57:

I don't think it's as simple as a frozen mirror for the kernel updates, and in fact the gap is clearly visible on the overall bodhi page for the kernel. That previous F22 kernel you mentioned was submitted 10 days ago, but it only made it to stable updates 3 days ago. Before that there was an obsoleted 4.3.3-200 build and then a big gap back to 4.2.8-200. In that big Fedora 22 gap, Fedora 23 saw a string of kernel updates starting with 4.3.3-300.fc23, which is marked as a security update.

Since both Fedora 22 and Fedora 23 started from 4.2.8, the security issues that prompted 4.3.3-300.fc23 applied just as much to the Fedora 22 4.2.8 kernel. Yet a Fedora 22 kernel update did not start processing until 14 days after the Fedora 23 one. The bug for CVE-2015-8569 makes this explicit; 'fixed in Fedora git on all branches' on December 17th, initial F23 kernel submitted to Bodhi on January 6th, F23 kernel in stable on the 12th, Fedora 22 kernel submitted to Bodhi on the 20th and a F22 kernel that closes the CVE in stable only on February 1st.

Written on 31 January 2016.
« The tradeoffs of having ssh-agent hold all of your SSH keys
A justification for some odd Linux ARP behavior »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 31 20:55:22 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.