IN THIS APPENDIX
This appendix explains how to obtain security information from particular vendors. It also provides an annotated list of available Internet standards, known as Request for Comments (RFC) documents, which address security.
Instead of an out-of-date list of vendor security bulletins, in this section you will learn how to obtain the vendors’ current lists of security bulletins and patches.
Any good system administrator will regularly check the security sites of the products he has, or get on their security mailing lists.
Hewlett-Packard provides a great deal of security information. You must log in to their site to access it. The main page is http://us-support2.external.hp.com/common/bin/doc.pl/. Select Technical Knowledge Base after logging in.
You will see search bulletins and patches for HP-UX and MPE. HP-UX is HP’s version of Unix. MPE is an old mini-computer operating system from HP. As of the summer of 2002, it appears as though the Compaq information has not been merged in with this site.
On HP’s patch page, the best thing to do is pick your series and OS version. Then change the box that says Search by Keyword to Browser Patch List.
For security bulletins, I recommend ignoring the links at the top of the page that only enable you to search the bulletins and instead find the Security Bulletin Archive. At the time of this writing, this link is at the very bottom of the page, in small print.
Unfortunately, IBM does not seem to have a good single spot for security and security patch information. What security information it has is scattered all over its Web sites.
IBM’s main security page is http://www.ibm.com/security. This page is focused on security news and products. The Resource Center link on this page will take you to some good information about security.
The main product support page is http://www.ibm.com/support/us/. Each product group has its own Web page, and there is little consistency to the information by product. However, if you need security information by product, you should start at this point. The download page here enables you to download security products, but does not focus on security patches.
IBM’s Lotus division has a page known as IT Central Security Zone. It is a well-focused page covering security with the Lotus products, and can be found at http://www.lotus.com/security.
Many Linux distributions are available, and this section presents information on security sources for some of the major distributions.
Caldera’s security advisories page is located at http://www.calderasystems.com/support/security/. Caldera appears to have more security advisories than any other Linux distribution. This does not mean that their Linux is any less secure. In fact, the opposite is probably true. Each security advisory tells you the packages you need to download to fix a particular security problem.
Debian does something unusual among vendors—they provide security alerts from their main Web site. On http://www.debian.org/security, you can scroll to the bottom of the page, and the security alerts are right there. Each security alert has links to software that needs to be downloaded to patch your system. A security alert mailing list is available at http://www.debian.org/MailingLists/subscribe#debian-security-announce.
Red Hat’s setup for security information is as good, if not better, than that of most of the big established companies. The main support page for Red Hat is http://www.redhat.com/apps/support/. From this page, you can select your OS version. Under each of the version-specific pages, you will find a link to the security advisories for that version. Each security advisory has links to the new version of software with the bugs fixed.
Red Hat has something you will never see from the major OS vendors. You can search their bug database at http://bugzilla.redhat.com/bugzilla/ and see the currently open security bugs. From this page, click Query Existing Bug Reports.
You can select a particular product. If you don’t, you’ll get information on them all. In the status list box, you might want to add additional status information. In the summary field, you might want to type the word security. Then click Submit Query and you’ll get back a list of bugs.
SuSE is a German Linux distribution. The main security page for this Linux distribution is http://www.suse.com/us/support/security/index.html. From here, you can find all the security advisories. Each security advisory lists what needs to be downloaded to fix your system.
SuSE has a couple of useful mailing lists. [email protected] is for general security discussion, and you can subscribe by sending email to [email protected]. If you just want to get security announcements, send email to [email protected]. More lists are documented at http://www.suse.com/us/support/mailinglists/index.html.
There are many opinions on whether Microsoft does a good job of keeping on top of security issues. However, one thing you cannot fault it for is a shortage of security information on its Web site. The main security page is http://www.microsoft.com/security/.
From the main security page, you will find bulletins, best practices, tools, checklists, and articles. What Microsoft calls bulletins are really documents talking about patches it has out. To find out about other security issues, you need to go to a different part of the Web site—the Knowledge Base.
The Microsoft Knowledge Base is full of information on its products, including security issues. The main search page for the Knowledge Base is http://search.support.microsoft.com/kb/c.asp?ln=en-us. Pick the product you want to find security issues for. Many searches will result in security-related articles. I recommend a simple search on just the word “security” to get started. You’ll get back all kinds of security articles.
Another useful resource on Microsoft’s site is TechNet, available at http://www.microsoft.com/TechNet. Whereas Knowledge Base searches a database, TechNet is more article-based, including many articles about security.
Sun Microsystems has a Web site that includes security info called SunSolve (http://sunsolve.sun.com). Sun takes security seriously on its site. You will find a link on the main page taking you to the security patch cluster, so you can grab all the security patches for your version of Solaris as one file.
You will also see links to the latest security bulletin, as well as an archive of security bulletins. These are good reading for understanding security issues related to Sun systems and Java.
You can contact Sun with security alerts by emailing [email protected] if you think you have discovered a new security problem. Sun also has a PGP key available on its Web site to encrypt communication. You can find instructions on the Sun site on how to regularly receive the Sun bulletins via email.
The following list of security-related RFC documents and their locations is arranged in numerical order from the earliest to the most recently published. All RFCs can be found at http://www.ietf.org/rfc.html.