Are there Linux exploits where using Fedora made a difference instead of Ubuntu/Debian?

Questions
1

Are there Linux exploits where using Fedora made a difference instead of Ubuntu/Debian?
Fedora is technically more secure, but did that ever made a difference or it is just theoretical?
I am trying to find examples of exploits on the internet but i am not an IT person so i cannot make any conclusions.

2 Likes
2

Right now there is a vulnerability in Fedora’s OpenH264 codec which has taken months to update. I looks like they have finally gotten it under control and a patch is expected next week. But the fact it took this long is ridiculous. Fedora doesn’t include the popular h.264 and h.265 codecs in their repos due to Fedora’s extreme caution about non-FOSS software. Fedora’s OpenH264 codec is instead supplied by a Cisco-owned repository, which is preset on Fedora installs.

2 Likes
3

Madaidan’s Insecurities (though it is biased, unmaintained, and promotes some fearmongering) does a better job at covering this issue (compared to Privacy Guides) by including examples. PrivSec expands on this by including other examples of Debian’s patching process introducing vulnerabilities.

As I understand it, this is ultimately an issue with any stable release distribution which freezes packages, so Fedora can still be affected by this, just to a much lesser extent than Debian. The only way to avoid the issue of frozen packages is to use a rolling-release distro, which comes with its own set of problems.

2 Likes
4

People (me included) often group Debian/Ubuntu together for convenience, but in this context, its worth remembering that Ubuntu has multiple release cadences.

  1. A 6 month release cycle, every spring and fall, just like Fedora.
  2. A 2 year LTS release cycle, every other year, similar to Debian Stable’s release cycle.

Also, Snap–like flatpak–intends to divorce application updates from system updates. So the old orthodoxies about LTS vs short period stable releases vs rolling releases is a bit messier and less clear cut than it used to be.

I am not aware of any real world situations where Ubuntu/Debian/RHEL/CentOS/Leap/SLES/Alma/Rocky/Pop_OS/etc was impacted by an exploit in the wild that Fedora or Arch or Tumbleweed avoided due to their faster update cadence. But tbf that is not at all my field, I’m just an interested user, so I might just not be aware.

5

The only example I could find was CVE-2016-5195

based on when the patch with the fixes came out

  • Fedora: October 19, 2016
  • Arch Linux: October 19, 2016
  • openSUSE Tumbleweed: October 19, 2016
  • Ubuntu: October 20, 2016
  • Debian: October 26, 2016
  • RHEL: November 2, 2016
  • CentOS: November 2, 2016