Yesterday the Arch Linux Security Team announced the new security tracker for Arch Linux which made available under https://security.archlinux.org/. The security tracker lets you browse for ASAs (Arch Linux Security Advisories), AVGs (Arch Linux Vulnerability Groups) and CVEs in Arch Packages. But what are these?

First we need to understand what is a vulnerability. In Wikipedia it’s described as follows

a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.[1] To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

A vulnerability - in contrast to a security bug which is a a system is not behaving as designed - is a way of abusing the system and can be either a faulty design of a faulty implementation. Though a design may be correctly implemented but due to the faulty design, it expose a vulnerability. A security bug can be easily fixed in contrary to a vulnerabilities which require a software patch and usually need to be backported. In case of known vulnerabilities all stakeholders like developers, server admins or package maintainers need to be informed about. That’s where the Arch CVE Monitoring Team (ACMT) comes into the play - CSV refers to Common Vulnerabilities and Exposures{.extiw}, a system which provides a reference-method for publicly known information-security vulnerabilities and exposures. The ACTM drives the public arch-security list over which the inform Arch Developers about CVEs. In addition they now also maintain the new tracker.

In addition to CVEs there are also ASAs (Arch Linux Security Advisories) and AVGs (Arch Linux Vulnerability Groups). Security advisories are a form of communicate security information to customers about issues and is accompanied by a additional information about any upcoming changes, fixes,  suggested actions and so on. An ASA usually contains the following information

  • General Info (Severity, Package, …)
  • Summary
  • Resolution
  • Workaround
  • Description
  • Impact
  • References

AVGs on the other hand is a way of grouping security advisories and related CVEs. As I understand an AVG contains all ASAs and CVEs which affects the same version of a package and on the other hand are fixed in the same particular version.

Further information can be found