Hello!
Hi,
I would like to see more security announcements by SuSE. There is
Many vendors issue advisories of all kinds these days. While I completely agree that reliable information flow is one of the basic ingredients of a more secure computing environment, we want SuSE to stress on quality instead of quantity (I'm not talking the x-large number of packages in our distribution for now). As a consequence, we try to collect the ongoing issues to make a single statement instead of a spam wave on the security lists in case there was no SuSE security announcement for a while (There's a big one in the queue, see below). If it's a bad hole and obvious, we don't hesitate.
usually sooner or later an update on the FTP server and then a couple of days later there is an announcement.
There is for instance this file: --------------------------------------------- ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/modules-2.3.11-73.i386_en.info Description: Security bug fixed Date: Fri 10 Nov 2000 05:36:25 PM CET ---------------------------------------------
Yes. They will be addressed in a collected summary. The sorting key is severity: Pending remote attack vulnerabilities just weigh more than tmp file races of extraterrestrial software. The gap is also often a result of testing. You might have seen apache and php packages out there but no advisory yet - to come, soon, with a new version. It must not only be fast, it must be 100%, for 6 distributions on 6 platforms. [...]
I'm sure that there might be some messages which I overlooked (e.g. SuSE not-vulnerable or not listed above).
There are some more problems with packages, yes. :-/ It will be a bit (up to "considerably") more noise in the following few days. But be it. We have a long list of issues here that are being addressed by Monday, noon. Your questions will be answered by then, I think. In the meanwhile, for the impatient: (nv==not vulnerable) (np==no such package) phf: nv vlock: np tcpdump: wip, fix soon, this may be very hard to exploit, if at all possible. crontab: nv global: nv dump: Who needs setuid on that in the first place? nv. pine: Our pine package maintainer had a ready-to-be-released package ready within shortest time, but the bare release just doesn't work further than a few keystrokes. Should be solved within a few days. ping: investigating, likely to nv. thttpd: bug present, but not serious, fixed, updates avail. Please understand that in some cases there's an ongoing effort between vendors (Linux in particular) underway to coordinate the publishing of security breaches. This causes some delay sometimes.
Tobias
PS: Compared with the situation a year ago, security issues are now on a higher agenda of SuSE, but you always want to have a little bit more ;-)
A start. I want to read your critizism after 8 months again.
Roman.
--
- -
| Roman Drahtmüller