Linux patch problems: Your version may vary

As Linux grows, choosing a version that fixes flaws quickly is critical. However, as Edmund X. DeJesus discovered, some Linux distributions publish security fixes faster than others.

With all the different distributions of Linux available -- many for free -- what distinguishes one over another? Most have the same set of standard bells and whistles. A few have support options that might be appealing for enterprise-level deployments.

Nevertheless, underneath the surface, they all share pretty much the same code base. After all, that's what makes Linux so intriguing: busy open source developers all over the planet are always adding features or fixing bugs, and anybody can take advantage of their work.

So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues.

Vulnerabilities examined and their severity

Severity Vulnerabilities
High Clam Antivirus
Moderate Sendmail
GNU Privacy Guard
Low KDEBase
KDE Display Manager
GNOME Display Manager
None cpio
Open Secure Shell
One way to make a non-scientific determination as to how quickly various Linux distributions publish their updates is by searching the Secunia database of advisories. It's easy to perform detailed searches using the Danish vulnerability clearinghouse's database to acquire the dates of code changes for known security vulnerabilities.

For example, examine the search results for 30 shared vulnerabilities (see table left) announced within the last six months that affected 11 popular Linux distributions (see bottom table). These distributions include both free versions that are created and maintained by volunteers, and retail versions that are sold by commercial vendors.

Simply examining some of this database information is interesting for comparison purposes. For example, if we look at the July update for the highly critical libmms vulnerability, we see that all the announced updates occurred within one day. By contrast, the libtiff and mysql vulnerabilities took 52 days and 46 days, respectively, to be patched on each of the platforms. Clearly, some distributions are getting updates out faster than others are.

Taking this a step further, for each of the 30 security issues, one could find the earliest and latest updates, and assign a score to each Linux distribution based on how quickly its handlers addressed that issue. For instance, if a distribution fixed an issue on the earliest date, it would receive a score of 100 for that issue; if it was the last vendor to fix the issue, it would get a score of 0. One can then average the scores after evaluating the 30 issues.

In this instance, Ubuntu and Fedora received the highest scores overall, reflecting their tendency to be among the first responders for many issues. The lowest scores were shared by OpenBSD, Slackware, SUSE and Trustix.

Naturally, it's unwise to put too much stock in the absolute numbers themselves; it's better to think about what is causing these results. For example, both Ubuntu and Fedora are free, but are sponsored by commercial vendors (Canonical Ltd. and Red Hat Inc., respectively). This could indicate that having corporate resources to support free efforts is important.

Also notice that retail distributions aren't necessarily better than free distributions in this regard. While Red Hat earned a respectable 63, Novell's SUSE received a 32. Some retail distributors may have a more lengthy process to develop and test fixes, because they must support more enterprise-level customers. A similar consideration may help explain Trustix Secure Linux's low score of 32: this distribution is oriented toward security, so perhaps its security experts take longer to verify vulnerability fixes.

The fact that other freely available versions like Debian score so well may reflect the distributed nature of such projects. With participating developers all over the world, they may be able to pounce on problems faster than organisations limited to a single country or site.

The bottom line is that even this informal analysis shows there are definitely differences in how fast Linux distributions develop and issue security patches. Security managers should keep that in mind when their organisations are in the process of selecting a version of Linux. Timeliness of security updates may prove to be a key issue that differentiates manufacturers of otherwise-similar operating systems.

Edmund X. DeJesus is a freelance technical writer in Norwood, Mass.

Name Free? Owner Score
Ubuntu Yes Ubuntu Project (sponsored by Cannonical) 76
Fedora Core Yes Fedora Project (sponsored by Red Hat) 70
Red Hat Enterprise Linux No Red Hat 63
Debian GNU/Linux Yes Debian 61
Mandriva Linux (Mandrake) Yes (plus commercial versions) Mandriva 54
FreeBSD Yes FreeBSD Foundation 51
Gentoo Linux Yes Gentoo Foundation 39
Trustix Secure Linux Yes Trustix Project (sponsored by Comodo Group) 32
SUSE Linux Enterprise No Novell 32
OpenBSD Yes OpenBSD Project 31
Slackware Linux Yes Slackware Linux 30

Read more on Operating systems software