The Debian Security Audit Project was started to focus on security issues in Debian packages. The project's goal is to audit applications that are included in a stable Debian Linux release. Since its inception, the project has paid off in identifying and fixing issues before they were in general release.
Recent security advisories have identified vulnerabilities in the following packages:
- KdeGraphics, an open source PDF viewer.
- Drupal, a Web content management system.
- Moin, a Python clone of WikiWiki.
- PHP 5, a hypertext preprocessor.
Due to the Debian distribution size, not every package can be tested. The following are the guidelines that Debian uses to decide what packages get tested:
- Any binary which is installed setuid or setgid.
- Anything that provides a service over a network.
- Any remotely accessible CGI/PHP scripts.
- Anything which contains a cronjob or other automated script which runs with root privileges.
I like the aggressive approach that Debian is taking rather than waiting for users or developers to stumble on vulnerabilities. Security should start with application architecture through testing, and in most cases it does. However, sometimes bugs get through and it's nice to see additional testing.
You can subscribe to the Debian security announce mailing list to receive E-mail alerts.