Hi !
This _might_ just be a misunderstanding perhaps, but...
This page: http://www.suse.com/us/support/security/index.html doesn't reflect the available patches that are listed, amongst others, here: http://www.suse.com/us/support/download/updates/72_i386.html
In fact, there are NO new vulnerabilities added to that webpage-listing since the kernel -addition on 2 Nov 2001. But, since then there have been vulnerabilities in (at least):
Postfix Susehelp Cyrus-sasl Ziptool Java2 Openssh Webalizer
But they are NOT put on the security-announce webpage, and neither are mailed to the suse-security-announce mailinglist !
The download page reflects that there are security-related update packages on the ftp server to download. What you do NOT see is that there are packages not yet available for the other architectures and distributions. In addition to that, not all of the update packages you might find on the download page will have an own announcement (just because they are not bad enough) and will instead be mentioned in section 2 of the next announcement. In the special case of openssh, we're checking all vulnerabilities that have been found in the package (as well as in the ssh package) to see if we missed something. In all cases, it's better to update a package that you find on the web/ftp server. None of the fixes there are really urgent (while cyrus-sasl is new), and if there are major or critical bugs fixed, you'll very soon know with an announcement.
What's up, SuSE ? This is not good news... Did I miss something ?
Maarten
Thanks,
Roman.
--
- -
| Roman Drahtmüller