Announced security patches
Hello people from SuSE, why isn't every security update announced here? As I want to update some of our servers, I looked through the list of downloadable patches on your server and found that some of them weren't announced in this list, e.g. patches for MySQL in June. Why is it like that? Regards Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth at impact dot de
Dear Uli, It is worse than that: sometimes patches are inserted on the web server with an old date. So if you want to be sure of reading about all security updates: (1) It is not enough to read the e-mail announcements (2) It is not enough to check all patches released since you last checked (3) You have to read every single patch description from the beginning of time in case SuSE have slipped one in It isn't easy for SuSE because keeping up with security fixes is very manpower-intensive and they don't get any direct revenue for it. Sending out the official announcement is the last step of a long process and sometimes gets missed out. I think there are a couple of simple things SuSE could do which would help: (1) The date in the patch description on http://www.suse.de/en/private/download/updates/82_i386.html should reflect the date the web page was updated, not some earlier date. (2) Publish a status board giving brief information about each security vulnerability (e.g. "we are working on it", "patch available", "SuSE not vulnerable"). This would eliminate many of the questions on this mailing list. Bob On Tue, 26 Aug 2003, Ulrich Roth wrote:
Hello people from SuSE,
why isn't every security update announced here? As I want to update some of our servers, I looked through the list of downloadable patches on your server and found that some of them weren't announced in this list, e.g. patches for MySQL in June. Why is it like that? Regards Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth at impact dot de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Dear Uli,
It is worse than that: sometimes patches are inserted on the web server with an old date.
So if you want to be sure of reading about all security updates:
(1) It is not enough to read the e-mail announcements (2) It is not enough to check all patches released since you last checked (3) You have to read every single patch description from the beginning of time in case SuSE have slipped one in
It isn't easy for SuSE because keeping up with security fixes is very manpower-intensive and they don't get any direct revenue for it. Sending out the official announcement is the last step of a long process and sometimes gets missed out. Every important security update gets announced as fast as possible. Sometimes these fixes are minor (non-suid tmp-race, overflows which are in some sgid-game program etc) so they are accumulated for the next advisory and are then announced in section 2. We would do you a dis-service if we'd send out an announcement for every single little thing. Additionally there is a "race condition" between the files being visible on the ftp server and the annoucnement being published. I understand if this worries you especially if you do not know how important the update is and what
On Tue, 26 Aug 2003, Bob Vickers wrote: Hi, the impact is. But be sure, if it is important, we will announce it on the list very soon as it was always the case in the past. thanks for the input, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
I think, that the biggest problem is the status of updates. Many people ask for an update, when a new vulnerability was found. I think the best solution would be a list with all current and past vulnerabilities and their status on a SuSE web page (preferable machine parseable). E.g. "sendmail dns bug, CERT id xxx, under investigation" By looking at the web page, everybody can see if SuSE know's about the problem and maybe when it should be released. Of course this is stressfull for the people doing updates, but it should also prevent people from asking (and at least someone who is not from SuSE can tell where the information can be found and what the status is). Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (4)
-
Bob Vickers -
Markus Gaugusch -
Sebastian Krahmer -
Ulrich Roth