Hi,
sorry, but we are currently very busy auditing and fixing things - the deadline for suse 6.4 is comming nearer and nearer ...
Ok ok - :-) But perhaps you should investigate why this make-3.77 security announcement didn't actually make it to the suse-security-announce list at all!
it didn't?? f*ck ... thomas, can you please resend it?
I downloaded exactly this rpm from the ftp server on 30 Jan while hunting for updates. That was 11 days ago! Now, why is it that the security announcement takes this long to appear?
this was a vulnerability thomas
from our Security Team found during an audit. He made a patch and gave it to our packet maintainer, who inserted the patch, built the package and made them available on the ftp server. However, at the same time, we forwarded the patch to the other linux vendors, so they can prepare an update as well before our announcement is released, so that they are not left vulnerable or look bad in comparison. Thats why the announcement is much later than the availability of the update. our own security found the vulnerability and informed the other vendors and gave them time to fix and make an update as available as well. Thats how we think these things should be handled - however we are open for proposals to enhance it :-)
Fair enough :-) Sounds like a good policy to me in cases like this. Btw is e.g. Red Hat giving you the same kind of time in return?
caldera and debian: yes. I won't publicly comment on redhat about that ... :(
(and on suse-security-announce it will appear appr 10 hours later than on suse-securtiy...) thats because ... I don't know ;-) I'd guess there are more people subscribed to suse-security than to suse-security-announce, and hence ...
Hm, I've also heard that the announce list was moderated. Neither explanation is really satisfactory - but the last announcement appeared virtually simultaneously so perhaps the list setup was changed for the better. Who cares as long as it works now.
yeah it was changed
SuSE takes security issues very serious - as you can see by the manpower put into this area and security tools made available by SuSE.
Glad to hear...
:) Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C