[gentoo-hardened] security updates

[gentoo-hardened] security updates

[Nagy Gabor Peter]

Hi list,

I have a question:

Since I am new to gentoo, I don't know how security updates work.

I know Debian. In Debian if I have stable installed on a production
server, I get regular security fixes, often backported from the current
bleeding edge version, where upstream has fixed the bug to the version
that Debian stable contains.

I have noticed that in gentoo there are many versions of a package that
are considered stable. Take glibc as an example, according to
http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
versions available, all of them stable.

I have now two gentoo machines, one is going to be production, the
other is used to get me a little bit more familiar with the system.

On the playground machine I have 2006.1 installed, glibc 2.4-r3
On the production machine I have 2006.0, switched to hardened profile,
and then recompile, there I have glibc 2.3.6-r5

I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
where can I check the differences (Changelog) between two gentoo
versions (like r3 and r4)?)

So my question: If someone finds a bug in glibc that gets corrected,
what does the gentoo maintainers do about it? Do they backport the fix
in all 8 versions? Or just in some of the versions and mark the not
fixed ones ~?

Is there some mailinglist (like debian-security-announce) where such
security fixes are announced?

What is the reason that the hardened profile selects the 2.3.6 version
instead of the 2.4? I mean not in glibc's case only, but generally.

Does libc 2.4 have troubles with ssp?

Cheers,
G
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] security updates

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 2553 bytes --]



Nagy Gabor Peter wrote:
> Hi list,
> 
> I have a question:
> 
> Since I am new to gentoo, I don't know how security updates work.
> 
> I know Debian. In Debian if I have stable installed on a production
> server, I get regular security fixes, often backported from the current
> bleeding edge version, where upstream has fixed the bug to the version
> that Debian stable contains.
> 
> I have noticed that in gentoo there are many versions of a package that
> are considered stable. Take glibc as an example, according to
> http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
> versions available, all of them stable.
> 
> I have now two gentoo machines, one is going to be production, the
> other is used to get me a little bit more familiar with the system.
> 
> On the playground machine I have 2006.1 installed, glibc 2.4-r3
> On the production machine I have 2006.0, switched to hardened profile,
> and then recompile, there I have glibc 2.3.6-r5
> 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)

On the packages.gentoo.org there is a link to the changelog that
describes major changes to ebuilds.

> 
> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?

Mostly, when a package (f.i. glibc-2.3.6-r5) contains a bug, a new
ebuild is released under a new revision (in this example:
glibc-2.3.6-r6) and then marked stable. The vulnerable ebuild will be
removed. Users do an 'emerge --sync && emerge -uD world' and get the new
  glibc installed.


> 
> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?

Security are announced on the gentoo-announce mailing list, see
http://www.gentoo.org/main/en/lists.xml for more info.

> 
> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.
> 
> Does libc 2.4 have troubles with ssp?
> 

Support for PIE and/or SSP is not complete for glibc >2.3 and gcc 4.
There was some overlay with usable ebuilds for these versions

I'm not sure about the reason why it doesn't work yet and why it takes
so much trouble, there are some ppl on this list who can explain that
far better...


Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-hardened] security updates

[John Schember]

On Sat, 2007-02-10 at 17:02 +0100, Nagy Gabor Peter wrote:
> Hi list,
> 
> I have a question:
I think you had more than a single question... But the list is here to
get help so the more questions the merrier ;-).

> Since I am new to gentoo, I don't know how security updates work.
GLSA is what you're looking for. You can see all current security
announcments at http://www.gentoo.org/security/en/glsa/

> I know Debian. In Debian if I have stable installed on a production
> server, I get regular security fixes, often backported from the current
> bleeding edge version, where upstream has fixed the bug to the version
> that Debian stable contains.
On Gentoo it is back ported as needed. Often the latest version contains
the fix and as long as it is stable on all supported arches the fix will
not be back ported to older versions.

> I have noticed that in gentoo there are many versions of a package that
> are considered stable. Take glibc as an example, according to
> http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
> versions available, all of them stable.
If you look at http://www.gentoo.org/security/en/glsa/glsa-200410-19.xml
you can see the fix was back ported in a bunch of -r# releases. If you
have a doubt about security fixes to an older package release check
GLSA.

> I have now two gentoo machines, one is going to be production, the
> other is used to get me a little bit more familiar with the system.
> 
> On the playground machine I have 2006.1 installed, glibc 2.4-r3
> On the production machine I have 2006.0, switched to hardened profile,
> and then recompile, there I have glibc 2.3.6-r5
> 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)
The change log is in the directory in your local portage tree.
ie, /usr/portage/sys-libs/glibc/ChangeLog You can also use the
unofficial portage listing page http://gentoo-portage.com to see the
change log.

> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?
~arch is the equivalent of Debian testing. They are simply packages that
have been added to the tree but need to be verified stable. Packages
that are stable but have a security issue do not go back to ~arch. It is
only way from ~arch (testing) to arch (stable).

> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?
Here is how to for how to check if any packages you have installed have
an announcement after syncing.
http://forums.vpslink.com/showthread.php?t=745 Basically 

> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.
> Does libc 2.4 have troubles with ssp?
That is the reason. The SSP patches that the hardened profile uses are
not available for 2.4. They probably won't ever be available for 2.4
simply because 2.5 is in ~arch right now. Supposedly when 2.5 gets
marked stable there will be SSP patches for it and it will be used on
the hardened profile.

John Schember

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] security updates

[Jean-Pierre Schwickerath]

Hi, 
 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)

Check the -l flag when using emerge. For instance:
emerge -plavuD world
 
> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?

I'm sure here. 
But on the glsa-notice you'll see which versions are vulnerable and
which are unaffected by the corrected bug. 
 
> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?

Have a look at http://www.gentoo.org/security/en/
You'll find infos on the glsa-check utility and the mailinglist.


> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.
> 
> Does libc 2.4 have troubles with ssp?

Indeed. Not all features are ported to 2.4.


Regards. 

Jean-Pierre

-- 
Powered by GNU/Linux - http://schwicky.net/
PGP Key ID: 0xEE6F49B4 - ICQ: 4690141 - schwicky@jabber.org

Nothing is impossible... Everything is relative!
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] security updates

[Andrew Ross]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

Nagy Gabor Peter wrote:

> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?

If you already have the package installed, you can use emerge's
--changelog argument. From man emerge:

"--changelog (-l)

Use this in conjunction with the --pretend option. This will show the
ChangeLog entries for all the packages that will be upgraded."

Cheers

Andrew



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

Re: [gentoo-hardened] security updates

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 2955 bytes --]

On Sat, 10 Feb 2007 17:02:38 +0100
Nagy Gabor Peter <linux42@freemail.hu> wrote:

> Hi list,
> 
> I have a question:
> 
> Since I am new to gentoo, I don't know how security updates work.
> 
> I know Debian. In Debian if I have stable installed on a production
> server, I get regular security fixes, often backported from the
> current bleeding edge version, where upstream has fixed the bug to
> the version that Debian stable contains.

Where a security issue is identified in a package, all versions in the
tree are either bumped (patched, backported or otherwise) or removed
from the tree.

> I have noticed that in gentoo there are many versions of a package
> that are considered stable. Take glibc as an example, according to
> http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
> versions available, all of them stable.

Yep; that's normal.  We don't force people to always go up to the
latest version of a package.  This is especially true for central
packages like glibc, which users may well prefer not to upgrade apart
from security fixes.  If you're building a new system, you might as well
use the latest (which is what you get unless you specifically ask for
something different).

> I have now two gentoo machines, one is going to be production, the
> other is used to get me a little bit more familiar with the system.
> 
> On the playground machine I have 2006.1 installed, glibc 2.4-r3
> On the production machine I have 2006.0, switched to hardened profile,
> and then recompile, there I have glibc 2.3.6-r5
> 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)
> 
> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?

For serious security issues, all versions, stable and ~, should get
patched & bumped, or removed if they're not easily patched.  For other
bugs it depends on the severity of a bug.

> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?

See the gentoo-announce mailing list, where all GLSA (Gentoo Linux
Security Advisories) are posted.

> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.

Our toolchain modifications for >=glibc-2.4 and gcc-4.1 aren't quite
ready yet.  I just have to resolve some significant test failures on
x86, then it should be good to go.

> Does libc 2.4 have troubles with ssp?

Not really, however SSP has changed significantly from gcc-3 to
gcc-4 - RedHat have re-implemented SSP and in the process changed its
behaviour in significant ways.

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-hardened] Security updates

[Machell, Jonathan]

Hello there,

We're currently trialling Gentoo to possibly host some of our web-servers. I've used Gentoo for over eight years so I'm leading these trials.

I've subscribed to this mailing list but also gentoo-server and gentoo-security. I'm trying to keep up to speed with all the latest security news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to these mailing lists be sufficient for this or is there any other place where I should be looking to keep on top of security issues? I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal? I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?

Many thanks,

Jonathan Machell
University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.

Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.

Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.

Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.

Re: [gentoo-hardened] Security updates

[klondike]

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

2010/1/21 Machell, Jonathan <Jonathan.Machell@cumbria.ac.uk>:
> Hello there,
>
> We're currently trialling Gentoo to possibly host some of our web-servers. I've used Gentoo for over eight years so I'm leading these trials.
>
> I've subscribed to this mailing list but also gentoo-server and gentoo-security. I'm trying to keep up to speed with all the latest security news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to these mailing lists be sufficient for this or is there any other place where I should be looking to keep on top of security issues? I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal? I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?
All the archives:
http://archives.gentoo.org/gentoo-hardened/

To keep on track of safety problems you can check here:
http://secunia.com/
or here:
http://cve.mitre.org/
(to give an example).

Francisco Blas Izquierdo Riera (klondike)

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] Security updates

[Kerin Millar]

2010/1/21 Machell, Jonathan <Jonathan.Machell@cumbria.ac.uk>:
> Hello there,

Hello.

> I've subscribed to this mailing list but also gentoo-server and gentoo-security. I'm trying to keep up to speed with all the latest security news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to these mailing lists be sufficient for this or is there any other place where I should be looking to keep on top of security issues? I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal? I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?

You would do well to turn your attention to the gentoo-announce list,
whose archives may be perused at
http://archives.gentoo.org/gentoo-announce/ or via third party
services - http://dir.gmane.org/gmane.linux.gentoo.announce for
instance.

Cheers,

--Kerin

Re: [gentoo-hardened] Security updates

[Claes Gyllenswärd]

2010/1/21 Machell, Jonathan <Jonathan.Machell@cumbria.ac.uk>:
> Hello there,
>
> We're currently trialling Gentoo to possibly host some of our web-servers. I've used Gentoo for over eight years so I'm leading these trials.
>
> I've subscribed to this mailing list but also gentoo-server and gentoo-security. I'm trying to keep up to speed with all the latest security news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to these mailing lists be sufficient for this or is there any other place where I should be looking to keep on top of security issues? I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal? I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?
>
> Many thanks,
>
> Jonathan Machell
> University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.
>
> Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.
>
> Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.
>
> Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>

I can't answer question 1.
The frequency you described is normal. Last message was monday.
The above can also be verified by looking at the answer to your third
question, which is here: http://archives.gentoo.org/

Re: [gentoo-hardened] Security updates

[Andri Möll]

On Thu, 2010-01-21 at 12:19 +0000, Machell, Jonathan wrote:
> I'm trying to keep up to speed with all the latest security news
> affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to
> these mailing lists be sufficient for this or is there any other place
> where I should be looking to keep on top of security issues?

Bugtraq and/or friends are also convenient for staying up to date:
bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
security-alerts@linuxsecurity.com


Andri

Re: [gentoo-hardened] Security updates

[RB]

On Thu, Jan 21, 2010 at 05:19, Machell, Jonathan
<Jonathan.Machell@cumbria.ac.uk> wrote:
> I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal?

Quite. If you want chatter, hit the #gentoo-hardened IRC channel.

> I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?

To name a few:
http://archives.gentoo.org/gentoo-hardened/
http://news.gmane.org/gmane.linux.gentoo.hardened
http://marc.info/?l=gentoo-hardened&r=1&w=2

> Jonathan Machell
> University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.
>
> Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.
>
> Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.
>
> Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>

Unenforceable boilerplate longer than the message, and foolish to
boot.  Try to avoid attaching these when posting to mailing lists,
you'll only get vitriol.

RE: [gentoo-hardened] Security updates

[Machell, Jonathan]

Excellent. Thanks for this. I'm aware of #gentoo-hardened but seem to have lost my IRC client. Easy enough to remedy. I'll check out the archives when I have a moment.

I don't seem to have any control over the signature (boilerplate?!). Believe me, if I could remove this, I would. I think the signature is automatically tagged on all e-mail by our vigilant mail server.

The other option is using another mail account . . . I might do that actually.

Regards,

Jonathan 


-----Original Message-----
From: RB [mailto:aoz.syn@gmail.com] 
Sent: 21 January 2010 15:36
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] Security updates

On Thu, Jan 21, 2010 at 05:19, Machell, Jonathan
<Jonathan.Machell@cumbria.ac.uk> wrote:
> I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal?

Quite. If you want chatter, hit the #gentoo-hardened IRC channel.

> I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?

To name a few:
http://archives.gentoo.org/gentoo-hardened/
http://news.gmane.org/gmane.linux.gentoo.hardened
http://marc.info/?l=gentoo-hardened&r=1&w=2

> Jonathan Machell
> University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.
>
> Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.
>
> Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.
>
> Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
>

Unenforceable boilerplate longer than the message, and foolish to
boot.  Try to avoid attaching these when posting to mailing lists,
you'll only get vitriol.

University of Cumbria is a Company Limited by Guarantee, Registered in England & Wales No. 06033238. Registered Office: University of Cumbria, Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.

Confidentiality: This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email and highlight the error.

Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and observe this lack of security when emailing us.

Viruses: Although we have taken steps to ensure that this email and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.

Re: [gentoo-hardened] Security updates

[Jonny Kent]

[-- Attachment #1: Type: text/plain, Size: 2119 bytes --]

As well as all the good suggestions others have made,  consider using a cron
job to run a glsa check daily after updating portage.
# glsa-check -t all
 That will email you indications of security issues specifically affecting
your systems as configured.

On Thu, Jan 21, 2010 at 4:19 AM, Machell, Jonathan <
Jonathan.Machell@cumbria.ac.uk> wrote:

> Hello there,
>
> We're currently trialling Gentoo to possibly host some of our web-servers.
> I've used Gentoo for over eight years so I'm leading these trials.
>
> I've subscribed to this mailing list but also gentoo-server and
> gentoo-security. I'm trying to keep up to speed with all the latest security
> news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to
> these mailing lists be sufficient for this or is there any other place where
> I should be looking to keep on top of security issues? I'm aware that this
> and the other two mailing lists are low traffic but I haven't heard a peep
> since subscribing on Tuesday. Is that normal? I was hoping to go through the
> archives of previous messages at some point. Are these kept somewhere?
>
> Many thanks,
>
> Jonathan Machell
> University of Cumbria is a Company Limited by Guarantee, Registered in
> England & Wales No. 06033238. Registered Office: University of Cumbria,
> Fusehill Street, Carlisle, CA1 2HH. Telephone 01228 616234.
>
> Confidentiality: This email and its attachments are intended for the above
> named only and may be confidential. If they have come to you in error you
> must take no action based on them, nor must you copy or show them to anyone;
> please reply to this email and highlight the error.
>
> Security Warning: Please note that this email has been created in the
> knowledge that Internet email is not a 100% secure communications medium. We
> advise that you understand and observe this lack of security when emailing
> us.
>
> Viruses: Although we have taken steps to ensure that this email and
> attachments are free from any virus, we advise that in keeping with good
> computing practice the recipient should ensure they are actually virus free.
>

[-- Attachment #2: Type: text/html, Size: 2454 bytes --]

Re: [gentoo-hardened] Security updates

[Michael Orlitzky]

Machell, Jonathan wrote:
> Hello there,
> 
> We're currently trialling Gentoo to possibly host some of our web-servers. I've used Gentoo for over eight years so I'm leading these trials.
> 
> I've subscribed to this mailing list but also gentoo-server and gentoo-security. I'm trying to keep up to speed with all the latest security news affecting Gentoo, GNU/Linux, Apache and MySQL. Should subscription to these mailing lists be sufficient for this or is there any other place where I should be looking to keep on top of security issues? I'm aware that this and the other two mailing lists are low traffic but I haven't heard a peep since subscribing on Tuesday. Is that normal? I was hoping to go through the archives of previous messages at some point. Are these kept somewhere?

I'm late to the party on this, but I also subscribe to the mailing lists 
of all public-facing software on our servers. For example, Postfix, 
Dovecot, SpamAssassin, Apache, PHP, ClamAV... Many security issues get 
reported to those lists before they're officially dubbed security issues.

"Public-facing" is of course a meaningless term. Do you include 
iptables? How about glibc? GCC itself? You'll have to use your judgment 
and/or eliminate the lists that are boring to listen to. If you flood 
your inbox with noise, you'll stop paying attention and lose the 
benefits altogether.