Mailinglist Archive: opensuse-security (471 mails)
| < Previous | Next > |
Re: [suse-security] Updating packages
- From: Bob Vickers <bobv@xxxxxxxxxxxxxxx>
- Date: Mon, 16 Oct 2000 15:10:14 +0100 (BST)
- Message-id: <Pine.OSF.4.21.0010161457380.2874-100000@xxxxxxxxxxxxxxxxxxxxx>
Jurgen,
The short answer is you shouldn't have to know. Every security alert
should give complete instructions including any necessary actions after
the software is patched.
But unfortunately this doesn't always happen. I hate to criticise Roman
because he is doing a fantastic job churning out all these fixes, but on
occasions the instructions aren't as clear as they might be. Maybe SuSE
should get a documentation person to review the alerts before they go out.
The ideal should be that the alerts are clear to someone who has just
bought Linux and doesn't have previous system admin experience. Ambitious,
but it ought to be possible.
Regards,
Bob
On Sat, 14 Oct 2000, Jurjen Oskam wrote:
> Hi everybody.
>
> Consider the following scenario:
>
> You have installed and actively use package X. Suppose an exploit is
> discovered for that package. SuSE provides a fix, and as a good admin
> you get the new RPM and install the fix. You do this with YaST1, so
> SuSEconfig is automatically run after installing.
>
> According to YaST, the fix is installed. SuSEconfig ran OK. So
> everything seems like that you succesfully updated.
>
> But: suppose the package was running when you updated? The running
> copy, is that (after SuSEconfig did its work) the old vulnerable
> version, or the new patched version?
>
>
> ....
==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhbnc.ac.uk/home/bobv
Phone: +44 1784 443691
The short answer is you shouldn't have to know. Every security alert
should give complete instructions including any necessary actions after
the software is patched.
But unfortunately this doesn't always happen. I hate to criticise Roman
because he is doing a fantastic job churning out all these fixes, but on
occasions the instructions aren't as clear as they might be. Maybe SuSE
should get a documentation person to review the alerts before they go out.
The ideal should be that the alerts are clear to someone who has just
bought Linux and doesn't have previous system admin experience. Ambitious,
but it ought to be possible.
Regards,
Bob
On Sat, 14 Oct 2000, Jurjen Oskam wrote:
> Hi everybody.
>
> Consider the following scenario:
>
> You have installed and actively use package X. Suppose an exploit is
> discovered for that package. SuSE provides a fix, and as a good admin
> you get the new RPM and install the fix. You do this with YaST1, so
> SuSEconfig is automatically run after installing.
>
> According to YaST, the fix is installed. SuSEconfig ran OK. So
> everything seems like that you succesfully updated.
>
> But: suppose the package was running when you updated? The running
> copy, is that (after SuSEconfig did its work) the old vulnerable
> version, or the new patched version?
>
>
> ....
==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhbnc.ac.uk/home/bobv
Phone: +44 1784 443691
| < Previous | Next > |