[dundee] CVE and security figures for a distro

Robert Ladyman it at file-away.co.uk
Tue Jul 27 07:36:33 UTC 2010 

Cross-posted from the opensuse-announce list: comparison between 10.3 and 
11.0. Interesting that "There is a 7% decrease in [...] security updates [...] 
but [...] a 13% increase in CVE numbers..."


> Hi,
> 
> With the release of a rpm security fix on Friday 23rd July
> we have released the last update for openSUSE 11.0.
> 
> It is now officially discontinued and out of support.
> 
> openSUSE 11.0 was released on June 17 2008, making it 2 years
> and 1 month of security and bugfix support.
> 
> Some statistics on the released patches (compared to 10.3):
> Total updates:		644     (-71)
> 	Security:	485     (-36)
> 	Recommended:	157     (-34)
> 	Optional:	  2 	( -1)
> 
> 	CVE Entries:	1141 	(+135)
> 
> There is a 7% decrease in the number of security updates compared to
> openSUSE 10.3, but there seems to be a 13% increase in CVE numbers fixed.
> 
> Top issues (compared to 10.3 for issues down to 5):
>      18 MozillaFirefox		(+5)
>      12 opera			(-1)
>      10 clamav			(-2)
>      10 acroread		(+1)
>       9 kernel			(-2)
>       8 wireshark		(-1)
>       7 seamonkey		(-3)
>       7 MozillaThunderbird	(-2)
>       7 moodle			( 0)
>       7 java-1_6_0-sun		(-5)
>       7 flash-player		(+1)
>       7 cups			(-5)
>       7 apache2-mod_php5	( 0)
>       6 libpng			( 0)
>       6 java-1_5_0-sun		(-4)
>       6 samba			(new)
>       5 libopenssl-devel	(-1)
>       5 bind			(0)
>       5 viewvc
>       5 strongswan
>       5 libopenssl
>       5 java-1_6_0-openjdk
>       5 pidgin
> 
> 
> And top issues sorted by CVE (Common Vulnerability Enumeration) count
> (down to 5) (compared to 10.3 for the top):
> 	143	MozillaFirefox		(+20)
> 	102	java-1_6_0-sun		(+27)
> 	93	acroread		(+41)
> 	83	seamonkey		(-27)
> 	75	kernel			(+20)
> 	64	flash-player		(+30)
> 	63	java-1_5_0-sun		( -7)
> 	54	MozillaThunderbird	( -4)
> 	50	java-1_6_0-openjdk	(new)
> 	40	mozilla-xulrunner190	(new)
> 	36	mozilla-xulrunner181	(-10, went out of maintenance)
> 	35	wireshark		( +7)
> 	27	moodle			(+17)
> 	24	apache2-mod_php5	( +8)
> 	23	opera			( +4)
> 	19	xpdf			( -2)
> 	18	xine-devel		( -5)
> 	18	phpMyAdmin		( -1)
> 	18	pidgin/finch		( +1)
> 	17	ruby			( -2)
> 	17	clamav			( -7)
> 	14	cups			(-20)
> 	13	OpenOffice_org		( +3)
> 	13	libpoppler3		( -4)
> 	13	libmysqlclient-devel	( -1)
> 	12	samba/cifs-mount	( +5)
> 	11	tomcat6 (was tomcat55)	( +2)
> 	11	kdegraphics3		(  0)
> 	11	ghostscript-devel	( +5)
> 	11	apache2			( -8)
> 	10	postgresql		( +1)
> 	9	viewvc
> 	9	libopenssl-devel
> 	9	horde
> 	8	xorg-x11-Xvnc
> 	8	python
> 	8	krb5
> 	7	strongswan
> 	7	libpoppler-devel
> 	7	kvm
> 	7	gvim
> 	7	bind
> 	6	timezone
> 	6	qemu
> 	6	lighttpd
> 	6	libxml2
> 	6	libpng-devel
> 	5	xgl
> 	5	squid
> 
> 
> # security updates by count
> # grep -l type..secur updateinfo-*|sed -e
>  's/^updateinfo-//;s/-[0-9]*.xml$//;'|sort|uniq -c|sort -n +0 -r|less
> 
> # grep CVE- update* |perl -e '%cves=();while (<>) { while
>  (/(CVE-2...-....)/) { $cve{$1}++; s/CVE-2...-....//;} } print
>  join("\n",sort keys %cve)."\n";' | wc -l # for i in updateinfo-* ; do echo
>  -n "$i " ; grep CVE- $i|perl -e '%cves=();while (<>) { while
>  (/(CVE-2...-....)/) { $cve{$1}++; s/CVE-2...-....//;} } print
>  join("\n",sort keys %cve)."\n";' | wc -l ; done
> 
> --
> To unsubscribe, e-mail: opensuse-announce+unsubscribe at opensuse.org
> For additional commands, e-mail: opensuse-announce+help at opensuse.org
> 

-- 
Robert Ladyman
File-Away Limited
3 Ralston Business Centre, Newtyle, Blairgowrie
Perthshire  PH12 8TL SCOTLAND
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
http://www.file-away.co.uk

============================================
Registered Office: 32 Church Street, Newtyle, Blairgowrie
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number SC222086

More information about the dundee mailing list