Top

Empirical Software Engineering

Published in:

01-03-2023

Vulnerability management in Linux distributions

An empirical study on Debian and Fedora

Authors: Jiahuei Lin, Haoxiang Zhang, Bram Adams, Ahmed E. Hassan

Published in: Empirical Software Engineering | Issue 2/2023

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Vulnerabilities in software systems not only lead to loss of revenue, but also to loss of reputation and trust. To avoid this, software providers strive to remedy vulnerabilities rapidly for their customers. However, in open-source development, the providers do not always control the distribution of their software themselves, but instead typically rely on Linux distributions to integrate and distribute upstream projects to millions of end users, which increases the difficulty of vulnerability management. In addition, an upstream project is usually packaged into several Linux distributions so that a vulnerability can propagate across multiple distributions via the upstream project. In this work, we empirically investigate a large number of vulnerabilities registered with the Common Vulnerabilities and Exposures (CVE) program in two popular Linux distributions, i.e., Debian (21,752 CVE-IDs) and Fedora (17,434 CVE-IDs), to study the practices of vulnerability management in such ecosystems. We investigate the lifecycle of fixing vulnerabilities, analyze how fast it takes for a vulnerability to go through each phase of its lifecycle, characterize the commonly occurring vulnerabilities that affect both distributions, and identify the practices that developers use to fix vulnerabilities. Our results suggest that the vulnerability testing period (i.e., the period from when the vulnerability fix is committed for testing to when the vulnerability fix is released) accounts for the largest number of days (median of 15 days) in Fedora. 74% (i.e., 16,070) and 92% (i.e., 16,070) of the vulnerabilities in Debian and Fedora, respectively, occur in both Linux distributions, which we refer to as common security vulnerabilities (CSVs). This result is impacted by the package selection and customization of the distributions. Finally, on a representative sample of 345 fixed CSVs, we find that upstream projects were responsible for fixing 303 (85%) and 267 (76%) out of the 345 CSVs in Debian and Fedora, respectively, with distribution maintainers integrating those fixes. Our work aims to gain a deeper understanding of the current practices in the vulnerability management of Linux distributions, and propose suggestions to distribution maintainers for better mitigation of the risks of vulnerabilities.

previous article Refactoring practices in the context of data-intensive systems

next article Android decompiler performance on benign and malicious apps: an empirical study

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

https://seclists.org/oss-sec/2014/q2/225

https://en.wikipedia.org/wiki/List_of_Linux_distributions

https://www.zdnet.com/article/the-five-most-popular-end-user-linux-distributions/

https://itsfoss.com/best-linux-distributions/

https://getfedora.org/sponsors/

https://www.redhat.com/en/blog/what-open-source-upstream

https://github.com/SAILResearch/suppmaterial-22-justina-vulnerability_management_in_linux_distributions

https://security-tracker.debian.org/tracker/CVE-2018-7225

https://docs.python.org/3/library/mailbox.html

https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

https://bugzilla.redhat.com/show_bug.cgi?id=1553919

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160

https://bugzilla.redhat.com/show_activity.cgi?id=1187225

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773720

https://bugzilla.redhat.com/show_bug.cgi?id=1184079

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d9590647d

https://security-tracker.debian.org/tracker/CVE-2015-2779

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724

https://www.debian.org/security/2009/dsa-1819

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838832

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7551

https://getfedora.org/sponsors/

https://www.redhat.com/en/resources/managing-vulnerabilities-FAQ

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394

https://libvirt.org/git/?p=libvirt.git;a=commit;h=5fc590ad9f4

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000409

https://seclists.org/oss-sec/2017/q4/385

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2737

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2737

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679429

https://www.zdnet.com/article/heartbleed-serious-openssl-zero-day-vulnerability-revealed/

https://bugzilla.redhat.com/show_activity.cgi?id=1084875

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881862

https://bugzilla.redhat.com/show_bug.cgi?id=1516995

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698916

https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

https://ci.debian.net/doc/

https://github.com/SAILResearch/suppmaterial-22-justina-vulnerability_management_in_linux_distributions

Adams B, Kavanagh R, Hassan AE, German DM (2016) An empirical study of integration activities in distributions of open source software. Empirical Software Engineering (EMSE’16) 21(3):960–1001CrossRef

Al Sabbagh B, Kowalski S (2015) A socio-technical framework for threat modeling a software supply chain. IEEE Security & Privacy 13(4):30–39CrossRef

Algarni A, Malaiya Y (2014) Software vulnerability markets: Discoverers and buyers. Int J Comput Inf Sci Eng 8(3):71–81

Alhazmi OH, Malaiya YK (2008) Application of vulnerability discovery models to major operating systems. IEEE Trans Reliab 57(1):14–22CrossRef

Anderson R (2002) Security in open versus closed systems—the dance of boltzmann, coase and moore. Tech. rep., Technical report. Cambridge University, England

Bilge L, Dumitraş T (2012) Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM conference on Computer and communications security (CCS’12), pp 833–844

Christey S, Martin B (2013) Buying into the bias: Why vulnerability statistics suck. Blackhat, Las Vegas, USA, Tech, Rep 1

CVE (online) https://cve.mitre.org/. Last accessed: 2021-06-02

da Costa DA, Abebe SL, McIntosh S, Kulesza U, Hassan AE (2014) An empirical study of delays in the integration of addressed issues. In: Proc. of the 30th int’l conf. on software maintenance and evolution (ICSME’14), pp 281–290

Debian continuous integration (online) https://ci.debian.net/doc/. Last accessed: 2021-06-02

Debian long term support (online) https://wiki.debian.org/LTS. Last accessed: 2021-06-02

Debian packages (online) https://packages.debian.org/stable/. Last accessed: 2021-06-02

Debian releases (online) https://www.debian.org/releases/. Last accessed: 2021-06-02

Debian security faq (online) https://www.debian.org/security. Last accessed: 2021-06-02

Debian security faq (online) https://www.debian.org/security/faq. Last accessed: 2021-06-02

Debian security team (online) https://security-team.debian.org/security_tracker.html. Last accessed: 2021-06-02

Debian vulnerability disclosure policy (online) https://www.debian.org/security/disclosure-policy. Last accessed: 2021-06-02

Duc AN, Cruzes DS, Ayala C, Conradi R (2011) Impact of stakeholder type and collaboration on issue resolution time in OSS projects. In: IFIP International conference on open source systems, pp 1–16. Springer

Ellison RJ, Goodenough JB, Weinstock CB, Woody C (2010) Evaluating and mitigating software supply chain security risks. Tech. rep. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst

Fedora - packagekit items not found (online) https://docs.fedoraproject.org/en-US/quick-docs/packagekit-not-found/. Last accessed: 2021-06-02

Fedora - security basics (online) https://fedoraproject.org/wiki/SecurityBasics#Subscribing_to_Security_Announcement_Services. Last accessed: 2021-06-02

Fedora - security bugs (online) https://fedoraproject.org/wiki/Security_Bugs. Last accessed: 2021-06-02

Fedora - update policy (online) https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/. Last accessed: 2021-06-02

Fedora package sources (online) https://src.fedoraproject.org/?page=1&sorting=None. Last accessed: 2021-06-02

Fedora release life cycle (online) https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle. Last accessed: 2021-06-02

Foundjem A, Adams B (2021) Release synchronization in software ecosystems. Empir Softw Eng 26(3):1–50CrossRef

Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense (LSAD’06), pp 131–138

Frei S, Tellenbach B, Plattner B (2008) 0-day patch exposing vendors (in) security performance. BlackHat Europe

Fruhwirth C, Mannisto T (2009) Improving CVSS-based vulnerability prioritization and response with context information. In: 2009 3Rd international symposium on empirical software engineering and measurement, pp 535–544. IEEE

Github - securing the world’s software (online) https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf. Last accessed: 2021-06-02

Guidelines and practices for multi-party vulnerability coordination and disclosure (online) https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.1. Last accessed: 2021-06-02

Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM et al (2018) Automated software vulnerability detection with machine learning. arXiv:1803.04497

Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: Neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP’16), pp 618– 635. IEEE

Jiang Y, Adams B, German DM (2013) Will my patch make it? and how fast? case study on the linux kernel 2013 10Th working conference on mining software repositories (MSR’13), pp 101–110. IEEE

Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 international conference on security and management (SAM’11), vol 1, pp 10–16

Kakimoto T, Kamei Y, Ohira M, Matsumoto K (2006) Social network analysis on communications for knowledge collaboration in OSS communities. In: Proceedings of the international workshop on supporting knowledge collaboration in software development (KCSD’06), pp 35–41. Citeseer

Klinke A, Renn O (2002) A new approach to risk evaluation and management: Risk-based, precaution-based, and discourse-based strategies 1. Risk Analysis: An Int J 22(6):1071–1094CrossRef

Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies?. Empir Softw Eng 23(1):384–417CrossRef

Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17), pp 2201–2215

LTS development (online) https://wiki.debian.org/LTS/Development#Prepare_security_updates_for_LTS. Last accessed: 2021-06-02

Ma W, Chen L, Zhang X, Zhou Y, Xu B (2017) How do developers fix cross-project correlated bugs? a case study on the github scientific python ecosystem. In: 2017 IEEE/ACM 39Th international conference on software engineering (ICSE’17), pp 381–392. IEEE

Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE Symposium on security and privacy, pp 692–708. IEEE

National vulnerability database (online) https://nvd.nist.gov/. Last accessed: 2021-06-02

Ohm M, Plate H, Sykosch A, Meier M (2020) Backstabber’s knife collection: a review of open source software supply chain attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment (DIMVA’20), pp 23–43. Springer

Operating system distribution security contact lists (online) https://oss-security.openwall.org/wiki/mailing-lists/distros. Last accessed: 2021-06-02

Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age?. In: USENIX Security symposium, vol 6

Ramsauer R, Bulwahn L, Lohmann D, Mauerer W (2020) The sound of silence: Mining security vulnerabilities from secret integration channels in open-source projects. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW’20), pp 147–157

Raymond E (1999) The cathedral and the bazaar. Knowledge, Technology & Policy 12(3):23–49CrossRef

Reasons to use debian (online) https://www.debian.org/intro/why_debian. Last accessed: 2021-06-02

Ristov S, Gusev M, Donevski A (2013) Openstack cloud security vulnerabilities from inside and outside. Cloud Computing, 101–107

Russell R, Kim L, Hamilton L, Lazovich T, Harer J, Ozdemir O, Ellingwood P, McConley M (2018) Automated vulnerability detection in source code using deep representation learning. In: 2018 17Th IEEE international conference on machine learning and applications (ICMLA’18), pp 757–762. IEEE

Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: 2009 Fifth international conference on IT security incident management and IT forensics (IMF’09), pp 153–168. IEEE

Securing debian manual - before the compromise (online) https://www.debian.org/doc/manuals/securing-debian-manual/ch10.en.html#security-support-testing. Last accessed: 2021-06-02

Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34Th international conference on software engineering (ICSE’12), pp 771–781. IEEE

The hidden costs of embargoes (online) https://access.redhat.com/blogs/766093/posts/1976653. Last accessed: 2021-06-02

Telang R, Wattal S (2005) Impact of software vulnerability announcements on the market value of software vendors-an empirical investigation. Available at SSRN 677427

US national institute of standards and technology (online) CVSS information. https://nvd.nist.gov/vuln-metrics/cvss. Last accessed: 2021-06-02

Wang S, Nagappan N (2019) Characterizing and understanding software developer networks in security development. arXiv:1907.12141

Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting “0-day” vulnerability: an empirical study of secret security patch in OSS. In: 2019 49Th annual IEEE/IFIP international conference on dependable systems and networks (DSN’19), pp 485–492. IEEE

Yilek S, Rescorla E, Shacham H, Enright B, Savage S (2009) When private keys are public: Results from the 2008 Debian openSSL vulnerability. In: Proceedings of the 9th ACM Conference on Internet Measurement (IMC’09), pp 15–27

Yin Z, Yuan D, Zhou Y, Pasupathy S, Bairavasundaram L (2011) How do fixes become bugs?. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering (FSE’11), pp 26–36

Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories (MSR’11), pp 93–102

Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of c/C+ + code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE’21)

Title: Vulnerability management in Linux distributions
An empirical study on Debian and Fedora
Authors: Jiahuei Lin
Haoxiang Zhang
Bram Adams
Ahmed E. Hassan
Publication date: 01-03-2023
Publisher: Springer US
Published in: Empirical Software Engineering / Issue 2/2023
Print ISSN: 1382-3256
Electronic ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-022-10267-7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 2/2023

Differential testing for machine learning: an analysis for classification algorithms beyond deep learning

Android decompiler performance on benign and malicious apps: an empirical study

Evaluating state-of-the-art # SAT solvers on industrial configuration spaces

Software variability in service robotics

Assessing the exposure of software changes

Calling relationship investigation and application on Ethereum Blockchain System

Premium Partner