Bob, I've running many machines with SuSE-OS and the versions are between SuSE7.0 and 8.0 . If I want to install the newest version (8.0) I have to fill so many holes with patches from the SuSE-Patch-section , and I only patch security-related things, why shouldn't I ask in this list to save time? This is the security list from SuSE, iptables is a security-related software, the people reading this list are often able to answer my question in one sentence - that's the reason I don't understand your answer. //Ruediger Bob Vickers wrote:
Ruediger,
This is an example of one of the most frequently asked questions on the list. The question goes "why haven't SuSE upgraded to version y of a product, because version x has security holes?".
The reason for the confusion is a subtle paradox and quite understandable. If you as an individual are using a package for your own use and you hear about a security hole then your natural course may well be to upgrade to the latest version, because you get the latest bug fixes and nice shiny new features as well as fixing the security hole. Occasionally you will find there is some incompatibility with the old version so you do a bit of work sorting this out.
If you are SuSE maintaining the package on behalf of lots and lots of customers with lots of different configurations then the situation is very different. If a small proportion of your customers hit problems because of incompatibilities then that is very bad news. They may not have the expertise to solve the problems, but they need to fix the security hole fast. So for SuSE the best solution is to take the old package and make the minimum number of changes needed to fix the security hole. Occasionally there are so many holes this is impossible but generally this is the right thing to do.
Bob
On Tue, 10 Sep 2002, ic_admin wrote:
Hi List,
just a question concerning iptables v 1.2.2 shipped with SuSE7.3 :
Is it OK to install this version? I saw there are newer versions available at netfilter.org but in the SuSE-Update-Download-section no update is available. Are the bugs not security-related?
Thanks for help and/or furthermore infos, links etc
Regards
Ruediger
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691