Perhaps someone from SuSE could clear this up. I am subscribed to the SuSE security announcements mailing list - I was actively monitoring the list so I could know when updates for mod_python and libxml2 would be available. The last security announcement (before today's openssl one) mentioned this.. http://lists.suse.com/archive/suse-security-announce/2004-Feb/0002.html - mod_python A remote denial-of-service attack can be triggered against the Apache web server by sending a specific query string that is processed by mod_python. New packages will be available soon. - libxml2 A buffer overflow in the URI parsing cde is fixed. This bug can lead to remote access to a system using libxml2. New packages will be available soon. - pwlib This update addresses several security vulnerabilities that may be exploited remotely via applications that link with pwlib, like GnomeMeeting or alike. New packages will be available soon. I maintain my own FTP server which contains the base SuSE RPMs and some of my own custom packages. Yesterday when rsync was run from cron on my FTP server I noticed that those three updates were in the mirrors. But there were no security announcements for these updates. And now in today's OpenSSL announcement it says that new packages for the above mentioned software are available on the SuSE ftp servers.. http://lists.suse.com/archive/suse-security-announce/2004-Mar/0001.html My question is what is the reason for not issuing separate security announcements for updates such as these? Other distributions (like Debian) post one announcement per update which seems like a logical choice. Any thoughts? Regards, Avtar Gill