[opensuse] glibc and openSUSE-2015-383
Hi Folks, I'm getting dinged by Tenable on some of my 13.1 x86-64 boxes. The Tenable plugin here: http://www.tenable.com/plugins/index.php?view=single&id=83867 says openSUSE-2015-383 will patch the problem. glibc-2.18-4.32.1 is installed on the systems, but Tenable wants glibc-2.18-4.32.2 So I find this security announcement: http://lists.opensuse.org/opensuse-updates/2015-05/msg00084.html As instructed, I run "zypper in -t patch openSUSE-2015-383=1" which says "patch:openSUSE-2015-383 = 1" is already installed. But the Package List doesn't show glibc-2.18-4.32.2, and rpm -qa shows only glibc-2.18-4.32.1.x86_64. Does openSUSE-2015-383 not work for 13.1 x86-64? Was the fix backported? Or is this a falling out of support thing? Is Evergreen working for 13.1? Thanks for any help. If I can't explain this I'm going to have to do some crash upgrades to 13.2 to thwart the jack-booted IA Storm Troopers. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-09 23:56, Lew Wolfgang wrote:
Is Evergreen working for 13.1?
No. We are still in the official 13.1 support period - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV3q7IACgkQja8UbcUWM1w60AD+Nq5lVbXIv2IsS4/f6jecgrTP HXbx93pcM6NLoYzZdhwBAJn2ChtQwPFamGJvmycGjk5Hxx/vxESp+TCXD7ipxNML =c6mI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/09/2015 08:14 PM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-06-09 23:56, Lew Wolfgang wrote:
Is Evergreen working for 13.1? No. We are still in the official 13.1 support period
Why then wouldn't glibc get updated? Was it backported, or are the vulnerabilities still there in 13.1? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-06-10 06:04, Lew Wolfgang wrote:
On 06/09/2015 08:14 PM, Carlos E. R. wrote:
Why then wouldn't glibc get updated? Was it backported, or are the vulnerabilities still there in 13.1?
It looks to me that the patch for 13.1 is patch openSUSE-2015-383=1, producing glibc-2.18-4.32.1 and glibc-32bit-2.18-4.32.2 (and that's what I have installed). And it covers the same issues as published in the tenable link, it is that patch. As far as I can see, glibc was updated. Possibly Tenable is confused with glibc-32bit and other rpms, which are version 2.18-4.32.2. I don't think they should be looking at that last digit. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/10/2015 06:28 AM, Carlos E. R. wrote:
On 2015-06-10 06:04, Lew Wolfgang wrote:
On 06/09/2015 08:14 PM, Carlos E. R. wrote:
Why then wouldn't glibc get updated? Was it backported, or are the vulnerabilities still there in 13.1? It looks to me that the patch for 13.1 is patch openSUSE-2015-383=1, producing glibc-2.18-4.32.1 and glibc-32bit-2.18-4.32.2 (and that's what I have installed).
And it covers the same issues as published in the tenable link, it is that patch.
As far as I can see, glibc was updated. Possibly Tenable is confused with glibc-32bit and other rpms, which are version 2.18-4.32.2. I don't think they should be looking at that last digit.
Thanks Carlos, I also think Tenable is "confused" about the version numbers. This is similar to confusion they have with the bash version that fixed the ShellShock vulnerabilities for 13.2 last September. I'll use your response in my mitigation write-up for the Tenable finding. BTW, all this monkey-motion is being caused by the "Information Assurance" bureaucrats in certain sectors who favour process over performance. As silly as much of it is, Information Assurance is the New Black, and we need to prepare to greet our new overlords. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-10 16:53, Lew Wolfgang wrote:
On 06/10/2015 06:28 AM, Carlos E. R. wrote:
Thanks Carlos, I also think Tenable is "confused" about the version numbers. This is similar to confusion they have with the bash version that fixed the ShellShock vulnerabilities for 13.2 last September. I'll use your response in my mitigation write-up for the Tenable finding.
Just remember that I can not tall for the project, my answer can not be official :-)
BTW, all this monkey-motion is being caused by the "Information Assurance" bureaucrats in certain sectors who favour process over performance. As silly as much of it is, Information Assurance is the New Black, and we need to prepare to greet our new overlords.
:-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV4VUwACgkQja8UbcUWM1w6TQD/YUJaHqWnS3jHbc/o1ZyRZ8pT SjbMsxxVi6vmxMyV77oBAJMgAW32xbwU1U0sHzPcRbllT5ulEFwBlqyKPMuzZWOZ =RruR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carlos E. R.
-
Lew Wolfgang