Correct system time is a security issue

There’s a story that hit Slashdot today about Debian (see bug #433869) not using the system to send out an update to the timezone data for a change in New Zealand daylight savings time.

The update in question is not a security fix, however having the correct time on a system is very important for security. Without the correct local time across all of your different systems (and thus having the correct timestamp on log messages) you will not be able to collate messages between different systems (e.g. routers, firewalls, other unix/linux systems) during an incident. This has already been released by Microsoft, Red Hat and, I expect, other vendors.

To me this seems just to be another reason that an commercial company should not run Debian GNU/Linux as you’re at the whims of a bunch of volunteers who are unlikely to understand the security concerns of your business (e.g. PCI/DSS or Sarbanes-Oxley). However it’s still a good OS if you’re running a personal system or if you can have a team of Debian sysadmins/developers at your call to backport important package changes.

3 thoughts on “Correct system time is a security issue

  1. There’s no need for it to have gone out via security – it could happily have gone out in a point release (and if r1 hadn’t been held up for so long by the kernel I would expect that it would’ve done so).

    The other thing here is that we didn’t get volatile turned on for etch; it’s available via d-i for lenny and given things like SA and ClamAV that’s a good thing.

  2. Sure it being in the last point release would have worked, but they missed that release chance and should have done something else to support their user base.

    The main point is that they let the DST change happen without doing an announcement or getting the fix out in a way that the majority installed systems could get.

    Now systems in New Zealand very likely have incorrect clocks until the admin’s manually install this fix which is an security issue and then they will not be able to get any security updates for this package (which I guess was not likely to happen).

    As an aside, the deployment of package updates via volatile and it’s lack of support by the security team is just another issue awaiting those that use Debian commercially.

  3. Yeah, I’m not sure what the plan is for supporting volatile once lenny is releaseed. I’d expect something, though the volatile team seems to be doing a good job already.

    It’s a shame nobody’s been able to arrange for any more work on security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s