Hi, I would like to see more security announcements by SuSE. There is usually sooner or later an update on the FTP server and then a couple of days later there is an announcement. There is for instance this file: --------------------------------------------- ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/modules-2.3.11-73.i386_en.info Description: Security bug fixed Date: Fri 10 Nov 2000 05:36:25 PM CET --------------------------------------------- What I would like to see is a) A quick announcement if a program shipped with SuSE is vulnerable and how this can be fixed as a workaround: remove suid bit, deinstall program etc. I rare see this happen (execept: "Not vulnerable") b) The fix itself. This usually happens -- sometimes very quick, but sometimes it takes rather long. If I compare it with FreeBSD, SuSE releases only very few announcements; I'd really see more announcements since this would save me the time to read Bugtraq ;-) (FreeBSD had e.g. recently "TOP", first announcement: remove suid bit, second announcement: fix is ready for cooking. Depending on the environment one *can* choose whether waiting for a fix or applying the workaround is the better solution.) By the way, what is with: - Bind - Pine (someone at SuSE is testing this infamous WU program, say Roman) - top ? - getnameinfo denial-of-service ? - dump ? - xfce ? - tcpdump I'm sure that there might be some messages which I overlooked (e.g. SuSE not-vulnerable or not listed above). Tobias PS: Compared with the situation a year ago, security issues are now on a higher agenda of SuSE, but you always want to have a little bit more ;-) -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man
Hello!
Hi,
I would like to see more security announcements by SuSE. There is
Many vendors issue advisories of all kinds these days. While I completely agree that reliable information flow is one of the basic ingredients of a more secure computing environment, we want SuSE to stress on quality instead of quantity (I'm not talking the x-large number of packages in our distribution for now). As a consequence, we try to collect the ongoing issues to make a single statement instead of a spam wave on the security lists in case there was no SuSE security announcement for a while (There's a big one in the queue, see below). If it's a bad hole and obvious, we don't hesitate.
usually sooner or later an update on the FTP server and then a couple of days later there is an announcement.
There is for instance this file: --------------------------------------------- ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/modules-2.3.11-73.i386_en.info Description: Security bug fixed Date: Fri 10 Nov 2000 05:36:25 PM CET ---------------------------------------------
Yes. They will be addressed in a collected summary. The sorting key is severity: Pending remote attack vulnerabilities just weigh more than tmp file races of extraterrestrial software. The gap is also often a result of testing. You might have seen apache and php packages out there but no advisory yet - to come, soon, with a new version. It must not only be fast, it must be 100%, for 6 distributions on 6 platforms. [...]
I'm sure that there might be some messages which I overlooked (e.g. SuSE not-vulnerable or not listed above).
There are some more problems with packages, yes. :-/ It will be a bit (up to "considerably") more noise in the following few days. But be it. We have a long list of issues here that are being addressed by Monday, noon. Your questions will be answered by then, I think. In the meanwhile, for the impatient: (nv==not vulnerable) (np==no such package) phf: nv vlock: np tcpdump: wip, fix soon, this may be very hard to exploit, if at all possible. crontab: nv global: nv dump: Who needs setuid on that in the first place? nv. pine: Our pine package maintainer had a ready-to-be-released package ready within shortest time, but the bare release just doesn't work further than a few keystrokes. Should be solved within a few days. ping: investigating, likely to nv. thttpd: bug present, but not serious, fixed, updates avail. Please understand that in some cases there's an ongoing effort between vendors (Linux in particular) underway to coordinate the publishing of security breaches. This causes some delay sometimes.
Tobias
PS: Compared with the situation a year ago, security issues are now on a higher agenda of SuSE, but you always want to have a little bit more ;-)
A start. I want to read your critizism after 8 months again.
Roman.
--
- -
| Roman Drahtmüller
hi2all
There is for instance this file: ---------------------------------------------
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/modules-2.3.11-73.i386_en.inf o
Description: Security bug fixed Date: Fri 10 Nov 2000 05:36:25 PM CET ---------------------------------------------
In the web page there is also the 'modules' update, as several others since the last sec-announce.
In the meanwhile, for the impatient: (nv==not vulnerable) (np==no such package) phf: nv vlock: np tcpdump: wip, fix soon, this may be very hard to exploit, if at all possible. crontab: nv global: nv dump: Who needs setuid on that in the first place? nv. pine: Our pine package maintainer had a ready-to-be-released package ready within shortest time, but the bare release just doesn't work further than a few keystrokes. Should be solved within a few days. ping: investigating, likely to nv. thttpd: bug present, but not serious, fixed, updates avail.
So, what about a new 'tool' called Security/Updates Status Report, a 'live' page on the web site for the 'impatients'? Here could be posted all 'running' issues, known bugs, if it is 'nv'/'np' or (not)default package, etc,and the present status of them, person in charge for the task, person for contact on doubts/adds on the issue, predictable date of update release and sec-announce, etc ... This way we all could see how hard you guys are working for the good of us ... probably doing this like just puting alive part of the internal report system? =;o) [ ]'s bacano
In the web page there is also the 'modules' update, as several others since the last sec-announce.
On Sun, 12 Nov 2000, bacano wrote: hi, please understand this. Its weekend. We do our best. You will be informed about every security releated change. Hopefully next week. Sebastian
participants (4)
-
bacano -
Roman Drahtmueller -
Sebastian Krahmer -
Tobias Burnus