How do you track security vulnerabilities?

kylian0087, 1 month ago

I actually have automated security updates on all my servers. Also in general i run greenbone at home that does daily scans of all the VLANS/networks I have at home.

delirious_owl, 1 month ago

I just use unattended-upgrades and forget about it

corsicanguppy, 1 month ago

Same for the RPM ecosystem: yum-cron and walk away. Been that way for almost 25 years.

Having been involved with OS Security in the middle of my career, I also still watch feeds like I used to; just, different ones, now.

JoeKrogan, 1 month ago

Your distro should havê a security mailing list you van subscribe to

KarnaSubarna, 1 month ago

For Ubuntu, I use ubuntu.com/security/oval

Mikelius, 1 month ago

I tend to find out about vulnerabilities before it hits the news outlets from the rss feed at seclists.org/oss-sec/

Other than that, I’ve got a bunch of other security feeds I follow and also have automated updates with just about everything.

treadful, 1 month ago

Used to follow the RHEL security lists but they recently retired those as well. Could really use a replacement.

LastoftheDinosaurs, 1 month ago

I rely on notifications from glsa-check or my distro’s package manager. I was notified about a problem with xz-utils on Thursday evening, but didn’t see anyone post about it until Friday morning.

glsa-check is a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.

tla, 1 month ago

oss-security.openwall.org/subscribe

PlexSheep, 1 month ago

I didn’t really consider that there are feeds for such things, especially for my distro(s). Embarrassing, but it means you helped making me safer!

I’m now subscribed to the Debian security list, seeing as all my servers run Debian. I just had unattended upgrades with Mail logs before.

giloronfoo, 1 month ago

I’m subscribed to bugalert.org RSS feeds, but it seems they haven’t had any activity since October last year.

Does anyone know what happened to them?

eveninghere, 1 month ago

Seeing my colleagues, I fear that the answer from them is “That’s the neat part, you don’t!”

LastoftheDinosaurs, 1 month ago

Same here. Our servers are so out of date that we might not have a version of xz with any commits from Jia Tan at all.

delirious_owl, 1 month ago

I don’t think up-to-date Debian stable even got it before it was discovered. No prod servers should be affected

andrewd18, 1 month ago

Mailing list provided by my distro. lists.debian.org/debian-security-announce/

PlexSheep, 1 month ago

Didn’t know this existed. Just subscribed. Thanks

Pika, 1 month ago

you just made me look for my distros security list, I never even thought of that!

Vilian, 1 month ago

i subscribed for fedora mailist a few days ago and their talk awas helpful for me to notice that i was one of the affected, just subscribe to your distro blog/mail/etc

slazer2au, 1 month ago

Lucky I only have to worry about ones from Cisco or FortiNet and both have RSS feeds that I have linked into Slack at work to tell us when a new patch is out or a new psirt is released.

lurch, 1 month ago

the worst ones end up on https://slashdot.org/ e.g.:

https://m.slashdot.org/story/426644

I read it like twice per day. However, my software updates should fix most automatically without me even knowing what was going on.