Hi, This was an error, and should not have happened. We will be rereleasing this with corrected summary and description. Ciao, Marcus On Sat, Feb 22, 2014 at 12:09:05PM +0100, Peter wrote:
Just running Online Update in YaST, one of the updates listed under 'Security' simply has the title 'openSUSE-2014-149'. A quick Google for this provides nothing obvious. Then in the description pane below, it reads:
'References: CVE-2014-0015 (cve) : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 858673 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=858673 862144 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=862144'
The first of these (non-clickable) links brings up a page in which the only clue is this: 'cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.'
The other two pages linked require logging in to a Bugzilla account to get further information.
I'm no system administrator or security expert, but I don't like the idea of blindly applying updates without having any further indication (from an 'official' openSUSE source) of what they're about. That to me seems like bad security practice and something we're often reminded as users to be cautious of. What if, however unlikely some may believe it to be, there was some malicious update being sent out to openSUSE users? From these details above, we can't gather anything useful. I do in fact have a Novell Bugzilla account but that shouldn't be a prerequisite for everybody else.
What are others' thoughts on this? Should there be a requirement for more descriptive updates with links to clear info not walled off to registered users? Should I contact somebody on another security-focussed mailing list?
Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org