[sf-lug] security annoucements/"news" - some of those reputable sources (was: Re: Ransomware threat to Linux servers)

[Michael Paoli]

> From: "Akkana Peck" <akkana at shallowsky.com>
> Subject: Re: [sf-lug] Ransomware threat to Linux servers
> Date: Tue, 10 Nov 2020 09:05:22 -0700

> Reading that made me realize that I need to find some of those
> reputable sources and follow them. I pref an RSS feed so it will
> show up in my daily news reader, so that's mainly what I looked for.
>
> Anyone have any other websites, mailing lists or RSS feeds they
> recommend for keeping informed about Linux security issues -- the
> stuff we actually need to know, not the irrelevant scare tactics we
> see in the news?

It seems there ought be (and probably are - somewhere(s)), some well
curated lists of such resources.

I'll mention a few here, and not necessarily in any particular order,
and far from a list anywhere near complete ... and some of the
information is more meta-information.

First of all, most any Operating System (OS) vendor/distro/etc.,
and likewise the providers/vendors of much software - especially larger
and/or more security-sensitive software, typically have their own
"security" or "security announcement" lists or the like, though some
lack such or more generally lump them in with bugs and other more
general discussion lists.  Some additionally and/or alternatively have
RSS feed(s).  Some even use (or supplement with) other means, e.g.
Twitter.com.  Also, many of such are made freely available to the
public - often such lists, etc., security updates themselves,
generally yes for Open Source, and often/sometimes, but not as
commonly nor completely for closed source.

So, generally good to "subscribe" or the like to those, as/where
relevant.
E.g. for Debian.org, there's
https://lists.debian.org/debian-security-announce/
(most notably covers stable, and while supported, oldstable,
and within, main, and with non-free and contrib being supported on a
"best effort" basis).  That does not cover testing/unstable/sid.
Also, for Debian, for those that may wish to check on security
status - most notably including status for things that haven't (yet)
had a security announcement (or won't), or status of
Debian security bugs:
https://security-tracker.debian.org/tracker/
Beyond Debian's security team support - notably LTS, there's:
https://lists.debian.org/debian-lts-announce/
ELTS?  Probably have a look here:
https://deb.freexian.com/extended-lts/docs/follow-updates/

E.g. PuTTY:
https://lists.tartarus.org/mailman/listinfo/putty-announce
(You have PuTTY on, e.g. Microsoft Windows?  Should probably be
subscribed to the above).

Much etc.

There are probably also curated list(s) to many of the distros/vendors
of OSs and software and their security-announce (or nearest equivalent)
list(s) and/or other notification services.  That information is
also typically fairly easy to find on, e.g. each OS distro/vendor's,
or software's, web site.

There are also more generalized "cyber security" type lists, and such.
E.g.:
US-CERT:
https://us-cert.cisa.gov/ncas/alerts
https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
Some services also give good risk ratings to vulnerabilities, e.g.:
https://nvd.nist.gov/
... having such risk ratings can be quite useful, most notably
when one may get a relatively large volume of security alert
notifications (some of which are much more critical and higher risk than
others, and may quite call for much more timely, if not immediate,
action).  There are various US (and other) governmental agencies (and
quasi-governmental agencies) that have various lists and notification
services, many of which are open and available to the public.

There are also lots of reputable organizations/persons that put out
quite good information - and may have their own list(s)/feed(s) or
the like ... I'm not going to attempt to list them here, though,
as there are many (and there's also lots of hype/crud out there too,
and junk/"noise"/hype "reporting" ... which can also be mixed in with
actual serious issues - even from some of the same "news"
sources/organizations).

There are also lots of restricted lists/services, e.g. paid for
services, or otherwise restricted.  E.g. some vendors/providers will
offer a paid service to receive notifications in advance of public
notifications (e.g. ISC.org ... if you're running ISC bind on root
nameservers or high-value DNS servers - might be well worth the
investment cost), or their security announcements aren't
available to the public (e.g. must be a paid customer).
Some of these services/providers do later make the same
materials/announcements open to the public.
E.g. in some job/employment position(s) I am and/or have been
privy to, under NDA and/or otherwise restricted, security
announcements/disclosures from list(s) / notification service(s) from
source(s) notably including outside/beyond employer/company,
that were not open to the public ... at least including from some
governmental source(s).  So, ... depending upon one's association(s),
affiliation(s), position(s), employer(s), agency(/ies), clearance(s),
paid product(s)/subscription(s), etc., one may or may not potentially
have access to such notification services or the like.  So, e.g. if one
works or is affiliated ... government, military, law enforcement,
critical infrastructure, purchased user of certain
product(s)/service(s), etc., there may be such resources one might have
access to or be able to obtain information feeds or the like from.

Hmmm, if someone wants to put such list together on wiki ...
or probably more usefully a meta-list of link(s) to well
curated list(s) of such that exist ... wiki could
be good place for that.  BALUG's wiki
https://www.wiki.balug.org/wiki/doku.php?do=index&idx=balug
could be a good place for that.  If you don't have a login
account on the wiki to, e.g. edit?, and (may) want such?
Have a look towards the top of:
https://www.wiki.balug.org/wiki/doku.php
... well, there's even SF-LUG's wiki (SF-LUG's namespace on wiki hosted
on BALUG):
https://www.wiki.balug.org/wiki/doku.php?do=index&idx=sf-lug