Re: SuSE Security Announcement: xf86 (SuSE-SA:2002:032)
On Wed, 18 Sep 2002, Sebastian Krahmer wrote:
Package: xf86 Announcement-ID: SuSE-SA:2002:032 Affecte products: SuSE Linux 8.0
Would it be possible to provide rebuild packages for the older distributions under ftp.suse.com/pub/suse/i386/supplementary/X/XFree86/XFree86-4.2.0-SuSE/ too? (Yes, I know that they are not officialy supported, and thus low prio) Or is it possible to compile the suse8-src-rpm under suse 7.2? c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
Or is it possible to compile the suse8-src-rpm under suse 7.2?
XFree versions prior to 4.2.0 are not affected, by all I know. This update is required only if you run 8.0. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Wed, 18 Sep 2002, Olaf Kirch wrote:
Or is it possible to compile the suse8-src-rpm under suse 7.2?
XFree versions prior to 4.2.0 are not affected, by all I know. This update is required only if you run 8.0.
or if you run xfree 4.2.0 from the supplemental directory of ftp.suse.com this is what I asked if it could be rebuild too i.A. Sven Koch Server Management -- com.unit GmbH http://www.comunit.net/ Eiffestr. 598 20537 Hamburg | Germany Fon +49-40-2111 05 25 Fax +49-40-2111 05 26
Or is it possible to compile the suse8-src-rpm under suse 7.2?
XFree versions prior to 4.2.0 are not affected, by all I know. This update is required only if you run 8.0.
or if you run xfree 4.2.0 from the supplemental directory of ftp.suse.com
this is what I asked if it could be rebuild too
The packages at ftp.suse.com/pub/suse/i386/supplementary/X/XFree86/XFree86-4.2.0-SuSE will be replaced very soon. Please be patient.
i.A. Sven Koch Server Management
Roman.
--
- -
| Roman Drahtmüller
On Wed, 18 Sep 2002, Roman Drahtmueller wrote:
Or is it possible to compile the suse8-src-rpm under suse 7.2?
XFree versions prior to 4.2.0 are not affected, by all I know. This update is required only if you run 8.0.
or if you run xfree 4.2.0 from the supplemental directory of ftp.suse.com
this is what I asked if it could be rebuild too
The packages at ftp.suse.com/pub/suse/i386/supplementary/X/XFree86/XFree86-4.2.0-SuSE will be replaced very soon. Please be patient.
thanks a lot, this is all I wanted to know i.A. Sven Koch Server Management -- com.unit GmbH http://www.comunit.net/ Eiffestr. 598 20537 Hamburg | Germany Fon +49-40-2111 05 25 Fax +49-40-2111 05 26
What if we've used the rpm's off your site to upgrade an older distro to XF4.2, such as 7.3 on my notebook? Am I affected as well? On Wed, 2002-09-18 at 08:17, Olaf Kirch wrote:
Or is it possible to compile the suse8-src-rpm under suse 7.2?
XFree versions prior to 4.2.0 are not affected, by all I know. This update is required only if you run 8.0.
Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
What if we've used the rpm's off your site to upgrade an older distro to XF4.2, such as 7.3 on my notebook? Am I affected as well?
I'm sorry that I might not get the point.
The directory tree that you got the material from is called
"supplementary". This means that the packages therein are from us, they
have been compiled for the specific distribution and that they do not
actually belong to the distribution (otherwise, you'd find them in the
distribution itself).
I have moved this README.txt in place for you. It will be available on the
server within minutes.
Roman.
---------------------------------------
README.txt in directory /pub/suse/<arch>/supplementary/ on ftp.suse.com
or mirrors, dated Wed Sep 18 17:34:24 MEST 2002, auth.: draht@.
-------------------------------------------------------------------------
Dear SuSE Linux user,
Generally, we do not provide update packages with newer versions in the
official update tree. Our high quality standard forces us to keep to the
versions originally published with a product to maintain the overall system
in a consistent state with regards to cross-dependent packages (think of a
linux system like a building, built with packages like bricks one on top of
another). Fixing a problem in a package with a new version (some openssl
library for example) will most certainly bring about malfunctions in other
parts of the system.
After all, you will definitely not be satisfied if you install a security
fix that renders your system unusable.
The directory /pub/suse/<arch>/supplementary/ contains RPM packages that
originate from SuSE build engines and that are built for the specific
distribution as visible in the directory path that leads to the package.
Some of the packages have been built by their respective package maintainer
at SuSE in his/her spare time. The packages are usually signed with the SuSE
build key build@suse.de, or at least by the personal key of a SuSE employee
so that you can verify that the packages really are from SuSE sources.
We publish these packages as a service to the community (you) because many
users of the SuSE Linux operating system wish to use newer versions of
specific packages due to feature or hardware support constraints in older
SuSE Linux versions without the obligation to upgrade the entire system.
Even though these packages have been built for the specific SuSE Linux
version, there is no warranty that these packages seamlessly interoperate
with the rest of the system. The packages have been made with "best effort"
and _should_ work as described in the README files contained in the
respective directories. We make no claim about their fitness for a specific
purpose, so you might as well experience that the package you have chosen
does not work properly on your system. In addition to this, there is no
warranty about the fitness of the packages in security matters: There are no
updates for these packages unless the maintainer decides to refresh the
trees with new builds.
To make it short: If you wish to use a newer version of a package and if you
insist on having properly working updates at hand if there is a security
update, then please use a newer SuSE Linux version. If you feel a little bit
adventurous, then these packages will suit your needs.
Regards,
Roman Drahtmüller,
SuSE Security
* Roman Drahtmueller (draht@suse.de) [020918 09:23]: ::I'm sorry that I might not get the point. Point is ..if there are packages on the ftp site..supplementry directory or not...people will use them. So they should be updated. ;) -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
* Roman Drahtmueller (draht@suse.de) [020918 09:23]: :: ::To make it short: If you wish to use a newer version of a package and if you ::insist on having properly working updates at hand if there is a security ::update, then please use a newer SuSE Linux version. If you feel a little bit ::adventurous, then these packages will suit your needs. :: I guess to make it shorter. If SuSE puts up these packages and knows that people will use them and there is a security risk with them and the user already has them installed. They should be updated. There are those of us out here like myself who just didn't have time to go to 8.0. I would say that if fixed packages aren't going to be placed in the supplementry directory for those of us using those packages..then the directory should be removed entirely. :) -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
SuSE should NOT have to support all versions back to the time they started a distribution i.e. earlier than 7.0. People have had enough time to upgrade to something more resent to be better able to have recent security fixes. If you DO NOT want to upgrade for the security fixes that is your own fault and NOT the fault of SuSE. Besides purchasing the newer version helps to support SuSE to provide ALL of the fixes they provide not just the security fixes. But then this IS getting to be OFF TOPIC. On Wed, 2002-09-18 at 14:54, Ben Rosenberg wrote:
* Roman Drahtmueller (draht@suse.de) [020918 09:23]: :: ::To make it short: If you wish to use a newer version of a package and if you ::insist on having properly working updates at hand if there is a security ::update, then please use a newer SuSE Linux version. If you feel a little bit ::adventurous, then these packages will suit your needs. ::
I guess to make it shorter. If SuSE puts up these packages and knows that people will use them and there is a security risk with them and the user already has them installed. They should be updated. There are those of us out here like myself who just didn't have time to go to 8.0.
I would say that if fixed packages aren't going to be placed in the supplementry directory for those of us using those packages..then the directory should be removed entirely. :)
-- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Ken Schneider (kschneider@rtsx.com) [020918 12:24]: ::SuSE should NOT have to support all versions back to the time they ::started a distribution i.e. earlier than 7.0. People have had enough ::time to upgrade to something more resent to be better able to have ::recent security fixes. I didn't say back to 7.0, but it's fairly reasonable to do 2-3 releases such as 7.2 - 8.0 and drop the 3rd oldest when a new release is issued. I don't know about you but working 70hrs a week..then doing what your other has planned for you during the other free time takes up quite a bit. I don't think having security updates to software that exists on the servers is a big deal for the 2-3 releases..including the current in that 2-3. ::If you DO NOT want to upgrade for the security fixes that is your own ::fault and NOT the fault of SuSE. Besides purchasing the newer version ::helps to support SuSE to provide ALL of the fixes they provide not just ::the security fixes. But then this IS getting to be OFF TOPIC. My boxes stay very current, but I don't agree that because it's not in the update directory but in the supplementry directory that updates shouldn't be provided. With the exception of 2 releases that came out while I was working at SuSE...I've bought every release since the last in the 4.x cycle. I could on and on about the things I do to still to support SuSE, but I won't ..this is the last I'll say on the subject. I just wish to have updates..even if they are for just security updates for all software that sits in the supplementry (because lots of people use it) and the regular update directory. Anyway..back to the regularly scheduled programs. ;) -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
Ken Schneider wrote:
SuSE should NOT have to support all versions back to the time they started a distribution i.e. earlier than 7.0. People have had enough time to upgrade to something more resent to be better able to have recent security fixes.
WOW! "Back to the time they started a distribution"? "Earlier than 7.0"? You do know that there existed vesrions like 6.4, 6.3 or even 5.xx? That must be, eeeh, at pre-hestoric times maybe? BTW, these performed as solid as a rock all these years and continue to do so day after day, at least in the systems I work with. And yes, I haven't upgraded because there is *no* need to. Security is only part of the equation, you know. But the real point is the two-year product support lifecycle SuSE has decided to adopt. I'm really frustrated at this. Even Microsoft has a 4-year support lifecycle. Don't tell me there are SLEs. There weren't any around when we started deploying SuSE machines. Forget about desktop machines for a while. Once you have a server machine all setup and you start using it then it's damn difficult to do anything that might bring it down or alter its behaviour. In fact, my personal experience is that unless an update is named as "security-critical", nothing much has a chance. So in effect, no you don't update systems, you just make sure that what you have works within requirements. And you wait for the next update cycle in your company/organization/Public Administration which may be something like 5 years or longer. IIRC, when Microsoft announced that it will start using a 4-year product support cycle, there was a big fuzz about it and many complaint that 4 years was too short for businesses. Now SuSE has an even shorter cycle, but no-one seems to care. At least I haven't seen anything in this or the "suse-e" mailing list. Yes, I do know this is way OT, but I couldn't stay silent at this one. I'll stop here before it gets even longer than it already is. [rest-of-mail-deleted] -Stathis -- Rouvas Stathis rouvas@di.uoa.gr http://www.di.uoa.gr/~rouvas
On Thu, Sep 19 2002, Rouvas Stathis wrote:
Ken Schneider wrote:
SuSE should NOT have to support all versions back to the time they started a distribution i.e. earlier than 7.0. People have had enough time to upgrade to something more resent to be better able to have recent security fixes.
WOW! "Back to the time they started a distribution"? "Earlier than 7.0"? You do know that there existed vesrions like 6.4, 6.3 or even 5.xx?
Cool, you're running XFree 4.2.0 from .../supplementary/X/... on SuSE 6.x or 5.x? ;-) SCNR. Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- PGP key available via WWW http://rsteib.home.pages.de/
Cool, you're running XFree 4.2.0 from .../supplementary/X/... on SuSE 6.x or 5.x? ;-)
It is possible. I got a 5.3 running with XFree86-4.1.something a while ago. It needed some tweaking (kernel, glibc, special environment to preload the new glibc, other "It-is-possible-but-useless"-stuff), and it smelled pretty badly, I must say, especially if seen from the security standpoint. It is better to run a newer distribution. Roman.
On Sep 18, Ben Rosenberg
I would say that if fixed packages aren't going to be placed in the supplementry directory for those of us using those packages..then the directory should be removed entirely. :) If I remember correctly, Roman said today that they WILL be updated ... just be a little bit patient.
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \ Linux 2.4.18-4GB
* Olaf Kirch (okir@suse.de) [020918 06:21]: ::> Or is it possible to compile the suse8-src-rpm under suse 7.2? :: ::XFree versions prior to 4.2.0 are not affected, by all I know. ::This update is required only if you run 8.0. tsk..tsk. If there are 4.2.0 pkgs on the ftp site supported or not..there are people who are using them..(As I jump up and down screaming ME)..and should have the correct patches. As I said in the other email..how's about new 4.2.1 pkgs for 7.2-8.0. I mean not everyone is a luddite...we do upgrade ya know. ;) -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
On Wed, 18 Sep 2002, Sven Koch wrote:
Package: xf86 Announcement-ID: SuSE-SA:2002:032 Affecte products: SuSE Linux 8.0
Would it be possible to provide rebuild packages for the older distributions under ftp.suse.com/pub/suse/i386/supplementary/X/XFree86/XFree86-4.2.0-SuSE/ too?
(Yes, I know that they are not officialy supported, and thus low prio)
Or is it possible to compile the suse8-src-rpm under suse 7.2?
imho this would be clumsy, as 8.0 has a different directory structure. What I have found easier in the past (I did not try it yet with xf86 so take this for what its worth) is 1. get the old 4.2.0 source rpm for your 7.x distro (from the supplementary ftp directory you mention) 2. patch it with the new patch (either from xfree96.org or extract it from the source rpm of the 8.0 update) 3. rebuild the rpm with rpm -ba 4. install the rpm you built. (if you want an rpm to distribute to several machines then you need to be a bit more careful, probably modify the spec file to add the patch, and test it per the rpm howto.) ... although I am tempted to skip the hassle, pre-order 8.1 to get the 4.2.0 new drivers, and continue with 4.1.0 for now. By the way, the limited impact is not explained in the xfree86 security page, but the full text of the announcement is in the mailing list archives at http://www.xfree86.org/pipermail/xpert/2002-September/020437.html I quote "The main security problem that prompted this release is a vulnerability in the Xlib modular i18n support that was added in XFree86 4.2.0." .. thanks Olaf for your diligence in monitoring this (it doesn't show up in bugtraq.) dproc
participants (10)
-
Ben Rosenberg -
dproc@dol.net -
Greg Macek -
Ken Schneider -
Markus Gaugusch -
Olaf Kirch -
Reiner Steib -
Roman Drahtmueller -
Rouvas Stathis -
Sven Koch