Do you rely on mailing lists or news articles for security vulnerabilities? Please share.

I only got to know about xz/liblzma [1] and curl [2] [3] vulnerabilities through lemmy (maybe because of high severity?).


  1. 1 ↩︎

  2. 2 ↩︎

  3. 3 ↩︎

  • Björn Tantau@swg-empire.de
    link
    fedilink
    arrow-up
    42
    ·
    9 months ago

    I do regular automated updates. For anything requiring human intervention like the xz thing I trust Lemmy and YouTube to keep me updated. No dedicated news source because if I were to freak out about every new vulnerability found I wouldn’t be able to sleep at night.

      • Björn Tantau@swg-empire.de
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        If you had it on a computer that is accessible via SSH from the internet you should proceed under the assumption that it was compromised. Which means you should reinstall from a safe medium and change your keys and passwords.

  • Brunacho@scribe.disroot.org
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    9 months ago

    My distribution (archlinux) notifies of critical vulnerabilities that require user action. There’s a news mailing list.

    After that I rely on social network (Mastodon mostly) or lemmy for news, as vulnerabilities often get some conversation. Apart from that, software i’m really interested in I also follow through RSS so I get news when they update for their vulnerabilities -that is when the vulnerabilities are not self inflicted as the xz case-.

  • PlexSheep@feddit.de
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    9 months ago

    I didn’t really consider that there are feeds for such things, especially for my distro(s). Embarrassing, but it means you helped making me safer!

    I’m now subscribed to the Debian security list, seeing as all my servers run Debian. I just had unattended upgrades with Mail logs before.

  • Last@reddthat.com
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    I rely on notifications from glsa-check or my distro’s package manager. I was notified about a problem with xz-utils on Thursday evening, but didn’t see anyone post about it until Friday morning.

    glsa-check is a command-line tool included with the gentoolkit package in Gentoo Linux. Its primary function is to scan your system for installed packages that are vulnerable according to Gentoo Linux Security Advisories (GLSAs). GLSAs are official notifications from the Gentoo security team about security vulnerabilities that affect packages in the Gentoo repository.

  • eveninghere@beehaw.org
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    Seeing my colleagues, I fear that the answer from them is “That’s the neat part, you don’t!”

    • Last@reddthat.com
      link
      fedilink
      arrow-up
      4
      ·
      9 months ago

      Same here. Our servers are so out of date that we might not have a version of xz with any commits from Jia Tan at all.

  • Mikelius@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    I tend to find out about vulnerabilities before it hits the news outlets from the rss feed at https://seclists.org/oss-sec/

    Other than that, I’ve got a bunch of other security feeds I follow and also have automated updates with just about everything.

  • Vilian@lemmy.ca
    link
    fedilink
    arrow-up
    4
    ·
    9 months ago

    i subscribed for fedora mailist a few days ago and their talk awas helpful for me to notice that i was one of the affected, just subscribe to your distro blog/mail/etc

    • corsicanguppy@lemmy.ca
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      9 months ago

      Same for the RPM ecosystem: yum-cron and walk away. Been that way for almost 25 years.

      Having been involved with OS Security in the middle of my career, I also still watch feeds like I used to; just, different ones, now.

  • AlphaAutist@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    You can watch rss feeds to follow all CVEs like Microsoft’s https://api.msrc.microsoft.com/update-guide/rss

    NIST used to have an rss feed for CVEs but deprecated it recently. They still have other ways you can follow it though https://nvd.nist.gov/vuln/data-feeds

    Or if you just want to follow CVEs for certain applications you can host/subscribe to something like https://www.opencve.io/welcome which allows you to filter CVEs from NIST’s National Vulnerability Database (NVD)

  • lemmyreader@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    Found out about the xz one on Lemmy. Years ago I was briefly subscribed to Bugtraq but that was too much. Now I’m subscribed to a few OS specific security announcement mailing lists.

    • unhinge@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      9 months ago

      Then, what does a package maintainer rely on?

      Edit: I’m so dumb. It’s obvious they’d check original developer’s repo or issue tracker. I’m sorry