Debian Security Advisory 1000 just arrived in my mailbox. This might or might not (depending on your point of view) be something to celebrate. We skip the celebration for now and look at some statistics instead.
Since the first DSA in November 2000 (that’s when the first DSA was issued, Debian has been releasing security advisories since 1997) there has been a steady flow, with an average of 1 advisory every other day.
# ruby -rdate -e 'puts "DSAs/day: #{1000.0/(Date.parse("2006-03-14") - Date.parse("2000-11-29"))}"'
DSAs/day: 0.517866390471258
# ruby -e 'puts "Days between DSAs: #{1/0.517866390471258}"'
Days between DSAs: 1.931
We can also note that every year has seen more DSAs then the previous. This year does not seem to be any different. So far 72 advisories have been issued, which, by a strike of coincidence, is the exact same number as 2005 (up to March the 14th).
2000: 10 2001: 85 2002: 124 2003: 186 2004: 216 2005: 307 2006: 72
Continuing on the date statistics, we see that January is, by far, the month with most advisories (153). Followed by October (96) and February (94). Interesting is also the fact that the late spring and summer months July (72), June (62) and May (40) comes furthest down in the result list. It would seem that even security experts prefer the sun to the computer. Nah, proably purely coincidental. Everybody knows that computer geeks prefers the screen and its friendly glow 
The most popular date is, far from surprisingly, in January. Namely the 23th (12) with three advisories more than any other day.
Top 10
But, let us leave the dates and move on to something more interesting: Top 10.
Vulnerabilities
The top 10 vulnerabilities is given below (the number is the number of DSAs tagged with the vulnerability).
173 - buffer overflow 130 - several vulnerabilities 57 - buffer overflows 37 - missing input sanitising 37 - insecure temporary file 27 - insecure temporary files 27 - programming error 23 - denial of service 22 - integer overflow 18 - format string
The most common vulnerability is not surprisingly buffer overflows, followed by insecure temporary files and missing sanitising of input. All three classic security issues.
Packages
The 16 (only 10 would have excluded packages with the same number of advisories as some that where included) packages with the most advisories are given below.
13 - ethereal 13 - kdelibs 11 - squid 10 - cvs 9 - mysql 8 - krb5 8 - cupsys 8 - heimdal 8 - samba 7 - sudo 7 - tcpdump 7 - xfree86 7 - xpdf 7 - apache 7 - openssl 7 - fetchmail
These numbers are actually a bit suprising. I can understand that kdelibs, mysql, cupsys, samba, xfree86 and apache are included since they are pretty big. But what’s ethereal, cvs, tcpdump, xpdf and fetchmail doing there? I don’t think they are big enough to justify theire appearance among the top (bottom?) 10.
We close this post with the top packages, counting only 2005 and 2006. Much the same as the previous, but now with squid as the leader and courier and firefox joining in.
7 - squid 5 - clamav 4 - courier 4 - ethereal 4 - xpdf 4 - mozilla-firefox 4 - kdelibs
Disclaimer: I know it’s unfair to just list the packages with the most advisories. I should proably dig deeper and compare the count to the impact each vulnerability had. But I don’t have the time to do so now and my tiny DSA statistics script doesn’t do it for me. So take the data presented here (as the Swedish saying goes) with an ounce of salt.
