Abstract
Vulnerabilities in software systems not only lead to loss of revenue, but also to loss of reputation and trust. To avoid this, software providers strive to remedy vulnerabilities rapidly for their customers. However, in open-source development, the providers do not always control the distribution of their software themselves, but instead typically rely on Linux distributions to integrate and distribute upstream projects to millions of end users, which increases the difficulty of vulnerability management. In addition, an upstream project is usually packaged into several Linux distributions so that a vulnerability can propagate across multiple distributions via the upstream project. In this work, we empirically investigate a large number of vulnerabilities registered with the Common Vulnerabilities and Exposures (CVE) program in two popular Linux distributions, i.e., Debian (21,752 CVE-IDs) and Fedora (17,434 CVE-IDs), to study the practices of vulnerability management in such ecosystems. We investigate the lifecycle of fixing vulnerabilities, analyze how fast it takes for a vulnerability to go through each phase of its lifecycle, characterize the commonly occurring vulnerabilities that affect both distributions, and identify the practices that developers use to fix vulnerabilities. Our results suggest that the vulnerability testing period (i.e., the period from when the vulnerability fix is committed for testing to when the vulnerability fix is released) accounts for the largest number of days (median of 15 days) in Fedora. 74% (i.e., 16,070) and 92% (i.e., 16,070) of the vulnerabilities in Debian and Fedora, respectively, occur in both Linux distributions, which we refer to as common security vulnerabilities (CSVs). This result is impacted by the package selection and customization of the distributions. Finally, on a representative sample of 345 fixed CSVs, we find that upstream projects were responsible for fixing 303 (85%) and 267 (76%) out of the 345 CSVs in Debian and Fedora, respectively, with distribution maintainers integrating those fixes. Our work aims to gain a deeper understanding of the current practices in the vulnerability management of Linux distributions, and propose suggestions to distribution maintainers for better mitigation of the risks of vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data Availability Statement
The datasets generated during and/or analysed during the current study are available online.Footnote 40
Notes
References
Adams B, Kavanagh R, Hassan AE, German DM (2016) An empirical study of integration activities in distributions of open source software. Empirical Software Engineering (EMSE’16) 21(3):960–1001
Al Sabbagh B, Kowalski S (2015) A socio-technical framework for threat modeling a software supply chain. IEEE Security & Privacy 13(4):30–39
Algarni A, Malaiya Y (2014) Software vulnerability markets: Discoverers and buyers. Int J Comput Inf Sci Eng 8(3):71–81
Alhazmi OH, Malaiya YK (2008) Application of vulnerability discovery models to major operating systems. IEEE Trans Reliab 57(1):14–22
Anderson R (2002) Security in open versus closed systems—the dance of boltzmann, coase and moore. Tech. rep., Technical report. Cambridge University, England
Bilge L, Dumitraş T (2012) Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM conference on Computer and communications security (CCS’12), pp 833–844
Christey S, Martin B (2013) Buying into the bias: Why vulnerability statistics suck. Blackhat, Las Vegas, USA, Tech, Rep 1
CVE (online) https://cve.mitre.org/. Last accessed: 2021-06-02
da Costa DA, Abebe SL, McIntosh S, Kulesza U, Hassan AE (2014) An empirical study of delays in the integration of addressed issues. In: Proc. of the 30th int’l conf. on software maintenance and evolution (ICSME’14), pp 281–290
Debian continuous integration (online) https://ci.debian.net/doc/. Last accessed: 2021-06-02
Debian long term support (online) https://wiki.debian.org/LTS. Last accessed: 2021-06-02
Debian packages (online) https://packages.debian.org/stable/. Last accessed: 2021-06-02
Debian releases (online) https://www.debian.org/releases/. Last accessed: 2021-06-02
Debian security faq (online) https://www.debian.org/security. Last accessed: 2021-06-02
Debian security faq (online) https://www.debian.org/security/faq. Last accessed: 2021-06-02
Debian security team (online) https://security-team.debian.org/security_tracker.html. Last accessed: 2021-06-02
Debian vulnerability disclosure policy (online) https://www.debian.org/security/disclosure-policy. Last accessed: 2021-06-02
Duc AN, Cruzes DS, Ayala C, Conradi R (2011) Impact of stakeholder type and collaboration on issue resolution time in OSS projects. In: IFIP International conference on open source systems, pp 1–16. Springer
Ellison RJ, Goodenough JB, Weinstock CB, Woody C (2010) Evaluating and mitigating software supply chain security risks. Tech. rep. Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst
Fedora - packagekit items not found (online) https://docs.fedoraproject.org/en-US/quick-docs/packagekit-not-found/. Last accessed: 2021-06-02
Fedora - security basics (online) https://fedoraproject.org/wiki/SecurityBasics#Subscribing_to_Security_Announcement_Services. Last accessed: 2021-06-02
Fedora - security bugs (online) https://fedoraproject.org/wiki/Security_Bugs. Last accessed: 2021-06-02
Fedora - update policy (online) https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/. Last accessed: 2021-06-02
Fedora package sources (online) https://src.fedoraproject.org/?page=1&sorting=None. Last accessed: 2021-06-02
Fedora release life cycle (online) https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle. Last accessed: 2021-06-02
Foundjem A, Adams B (2021) Release synchronization in software ecosystems. Empir Softw Eng 26(3):1–50
Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense (LSAD’06), pp 131–138
Frei S, Tellenbach B, Plattner B (2008) 0-day patch exposing vendors (in) security performance. BlackHat Europe
Fruhwirth C, Mannisto T (2009) Improving CVSS-based vulnerability prioritization and response with context information. In: 2009 3Rd international symposium on empirical software engineering and measurement, pp 535–544. IEEE
Github - securing the world’s software (online) https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf. Last accessed: 2021-06-02
Guidelines and practices for multi-party vulnerability coordination and disclosure (online) https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.1. Last accessed: 2021-06-02
Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM et al (2018) Automated software vulnerability detection with machine learning. arXiv:1803.04497
Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: Neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP’16), pp 618– 635. IEEE
Jiang Y, Adams B, German DM (2013) Will my patch make it? and how fast? case study on the linux kernel 2013 10Th working conference on mining software repositories (MSR’13), pp 101–110. IEEE
Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 international conference on security and management (SAM’11), vol 1, pp 10–16
Kakimoto T, Kamei Y, Ohira M, Matsumoto K (2006) Social network analysis on communications for knowledge collaboration in OSS communities. In: Proceedings of the international workshop on supporting knowledge collaboration in software development (KCSD’06), pp 35–41. Citeseer
Klinke A, Renn O (2002) A new approach to risk evaluation and management: Risk-based, precaution-based, and discourse-based strategies 1. Risk Analysis: An Int J 22(6):1071–1094
Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies?. Empir Softw Eng 23(1):384–417
Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS’17), pp 2201–2215
LTS development (online) https://wiki.debian.org/LTS/Development#Prepare_security_updates_for_LTS. Last accessed: 2021-06-02
Ma W, Chen L, Zhang X, Zhou Y, Xu B (2017) How do developers fix cross-project correlated bugs? a case study on the github scientific python ecosystem. In: 2017 IEEE/ACM 39Th international conference on software engineering (ICSE’17), pp 381–392. IEEE
Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE Symposium on security and privacy, pp 692–708. IEEE
National vulnerability database (online) https://nvd.nist.gov/. Last accessed: 2021-06-02
Ohm M, Plate H, Sykosch A, Meier M (2020) Backstabber’s knife collection: a review of open source software supply chain attacks. In: International conference on detection of intrusions and malware, and vulnerability assessment (DIMVA’20), pp 23–43. Springer
Operating system distribution security contact lists (online) https://oss-security.openwall.org/wiki/mailing-lists/distros. Last accessed: 2021-06-02
Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age?. In: USENIX Security symposium, vol 6
Ramsauer R, Bulwahn L, Lohmann D, Mauerer W (2020) The sound of silence: Mining security vulnerabilities from secret integration channels in open-source projects. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW’20), pp 147–157
Raymond E (1999) The cathedral and the bazaar. Knowledge, Technology & Policy 12(3):23–49
Reasons to use debian (online) https://www.debian.org/intro/why_debian. Last accessed: 2021-06-02
Ristov S, Gusev M, Donevski A (2013) Openstack cloud security vulnerabilities from inside and outside. Cloud Computing, 101–107
Russell R, Kim L, Hamilton L, Lazovich T, Harer J, Ozdemir O, Ellingwood P, McConley M (2018) Automated vulnerability detection in source code using deep representation learning. In: 2018 17Th IEEE international conference on machine learning and applications (ICMLA’18), pp 757–762. IEEE
Schryen G (2009) A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors. In: 2009 Fifth international conference on IT security incident management and IT forensics (IMF’09), pp 153–168. IEEE
Securing debian manual - before the compromise (online) https://www.debian.org/doc/manuals/securing-debian-manual/ch10.en.html#security-support-testing. Last accessed: 2021-06-02
Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34Th international conference on software engineering (ICSE’12), pp 771–781. IEEE
The hidden costs of embargoes (online) https://access.redhat.com/blogs/766093/posts/1976653. Last accessed: 2021-06-02
Telang R, Wattal S (2005) Impact of software vulnerability announcements on the market value of software vendors-an empirical investigation. Available at SSRN 677427
US national institute of standards and technology (online) CVSS information. https://nvd.nist.gov/vuln-metrics/cvss. Last accessed: 2021-06-02
Wang S, Nagappan N (2019) Characterizing and understanding software developer networks in security development. arXiv:1907.12141
Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting “0-day” vulnerability: an empirical study of secret security patch in OSS. In: 2019 49Th annual IEEE/IFIP international conference on dependable systems and networks (DSN’19), pp 485–492. IEEE
Yilek S, Rescorla E, Shacham H, Enright B, Savage S (2009) When private keys are public: Results from the 2008 Debian openSSL vulnerability. In: Proceedings of the 9th ACM Conference on Internet Measurement (IMC’09), pp 15–27
Yin Z, Yuan D, Zhou Y, Pasupathy S, Bairavasundaram L (2011) How do fixes become bugs?. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering (FSE’11), pp 26–36
Zaman S, Adams B, Hassan AE (2011) Security versus performance bugs: a case study on firefox. In: Proceedings of the 8th working conference on mining software repositories (MSR’11), pp 93–102
Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of c/C+ + code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE’21)
Acknowledgements
We would like to thank the anonymous reviewers for their insightful comments.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interests
The authors declare that they have no conflict of interest.
Additional information
Communicated by: Jacques Klein
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Lin, J., Zhang, H., Adams, B. et al. Vulnerability management in Linux distributions. Empir Software Eng 28, 47 (2023). https://doi.org/10.1007/s10664-022-10267-7
Accepted:
Published:
DOI: https://doi.org/10.1007/s10664-022-10267-7