[opensuse] openSUSE Online Update - poor security practice?
Just running Online Update in YaST, one of the updates listed under 'Security' simply has the title 'openSUSE-2014-149'. A quick Google for this provides nothing obvious. Then in the description pane below, it reads: 'References: CVE-2014-0015 (cve) : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 858673 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=858673 862144 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=862144' The first of these (non-clickable) links brings up a page in which the only clue is this: 'cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.' The other two pages linked require logging in to a Bugzilla account to get further information. I'm no system administrator or security expert, but I don't like the idea of blindly applying updates without having any further indication (from an 'official' openSUSE source) of what they're about. That to me seems like bad security practice and something we're often reminded as users to be cautious of. What if, however unlikely some may believe it to be, there was some malicious update being sent out to openSUSE users? From these details above, we can't gather anything useful. I do in fact have a Novell Bugzilla account but that shouldn't be a prerequisite for everybody else. What are others' thoughts on this? Should there be a requirement for more descriptive updates with links to clear info not walled off to registered users? Should I contact somebody on another security-focussed mailing list? Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, This was an error, and should not have happened. We will be rereleasing this with corrected summary and description. Ciao, Marcus On Sat, Feb 22, 2014 at 12:09:05PM +0100, Peter wrote:
Just running Online Update in YaST, one of the updates listed under 'Security' simply has the title 'openSUSE-2014-149'. A quick Google for this provides nothing obvious. Then in the description pane below, it reads:
'References: CVE-2014-0015 (cve) : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 858673 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=858673 862144 (bugzilla) : https://bugzilla.novell.com/show_bug.cgi?id=862144'
The first of these (non-clickable) links brings up a page in which the only clue is this: 'cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.'
The other two pages linked require logging in to a Bugzilla account to get further information.
I'm no system administrator or security expert, but I don't like the idea of blindly applying updates without having any further indication (from an 'official' openSUSE source) of what they're about. That to me seems like bad security practice and something we're often reminded as users to be cautious of. What if, however unlikely some may believe it to be, there was some malicious update being sent out to openSUSE users? From these details above, we can't gather anything useful. I do in fact have a Novell Bugzilla account but that shouldn't be a prerequisite for everybody else.
What are others' thoughts on this? Should there be a requirement for more descriptive updates with links to clear info not walled off to registered users? Should I contact somebody on another security-focussed mailing list?
Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/02/14 12:17, Marcus Meissner wrote:
Hi,
This was an error, and should not have happened.
We will be rereleasing this with corrected summary and description.
Ciao, Marcus
Okay, thanks for the quick reply. Peter -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2014-02-22 12:09, Peter wrote:
Just running Online Update in YaST, one of the updates listed under 'Security' simply has the title 'openSUSE-2014-149'. A quick Google for this provides nothing obvious. Then in the description pane below, it reads:
You already got a comment on that, so just a comment:
What if, however unlikely some may believe it to be, there was some malicious update being sent out to openSUSE users?
Such a thing would have a comment text to fool you into installing it >:-P No, the more practical issue is that you can not determine if you need the update now, asap, not at all, or you can wait till a more convenient time, for restarting affected services or even the machine. But this was a simple mistake and the update will be reissued. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlMIkSYACgkQja8UbcUWM1xa8QD/fAnN/GEM7b3vrSS7KEpfpd41 NvWC0gnjxLvMu+TmvoEBAI7XOXWaf8z6ZVex98TcYm7XdWDbDOJLFyZBAYTuNBvP =Y9+t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R.
-
Marcus Meissner
-
Peter