[opensuse-security] Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam
Artikel auf Golem.de lesen: https://glm.io/152105?m Hmmmm, we got "bad press" (German language) about a security issue. (link above).
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
Artikel auf Golem.de lesen:
Hmmmm, we got "bad press" (German language) about a security issue. (link above).
I only now got back mod/admin rights to this list. We meanwhile have released raptor updates. If something does not have a CVE, it is quite hard for anyone to track, so if there are security issues, CVE assignment should be pursued so everyone can handle it:/ Ciao, Marcus
It's in German and behind something that seems to be a pay-wall, anybody could do a simple Google Translate for us non-german speakers? -- Best regards / S pozdravem, BSc. Mark Stopka, BBA mobile: +420 704 373 561 On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <meissner@suse.de> wrote:
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
Artikel auf Golem.de lesen:
Hmmmm, we got "bad press" (German language) about a security issue. (link above).
I only now got back mod/admin rights to this list.
We meanwhile have released raptor updates.
If something does not have a CVE, it is quite hard for anyone to track, so if there are security issues, CVE assignment should be pursued so everyone can handle it:/
Ciao, Marcus _______________________________________________ openSUSE Security mailing list -- security@lists.opensuse.org To unsubscribe, email security-leave@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/security@lists.opensuse.org
Hi, Basically Hanno Boeck reported a serious bug in "libraptor", an RDF reader used by LibreOffice 3 years ago.... It did not get a CVE, and so was not picked up by Linux Distributions. He actually got one some weeks ago, predisclosed the issue, and then wrote this article about this experience. Basically that without CVEs things are not getting fixed... (He also dissed openSUSE as we were not yet out with the fix at the time of the article.) Ciao, Marcus On Fri, Nov 27, 2020 at 08:02:02AM +0100, Mark Stopka wrote:
It's in German and behind something that seems to be a pay-wall, anybody could do a simple Google Translate for us non-german speakers? -- Best regards / S pozdravem, BSc. Mark Stopka, BBA
mobile: +420 704 373 561
On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <meissner@suse.de> wrote:
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
Artikel auf Golem.de lesen:
Hmmmm, we got "bad press" (German language) about a security issue. (link above).
I only now got back mod/admin rights to this list.
We meanwhile have released raptor updates.
If something does not have a CVE, it is quite hard for anyone to track, so if there are security issues, CVE assignment should be pursued so everyone can handle it:/
Ciao, Marcus
Ah, yes, when CVEs are not requested it's a mess, on the other hand some "CVE collectors" request them for things that are hardly a vulnerability, we (global IT community] need better vulnerability disclosure and management processes... -- Best regards / S pozdravem, BSc. Mark Stopka, BBA mobile: +420 704 373 561 On Fri, Nov 27, 2020 at 8:12 AM Marcus Meissner <meissner@suse.de> wrote:
Hi,
Basically Hanno Boeck reported a serious bug in "libraptor", an RDF reader used by LibreOffice 3 years ago....
It did not get a CVE, and so was not picked up by Linux Distributions.
He actually got one some weeks ago, predisclosed the issue, and then wrote this article about this experience.
Basically that without CVEs things are not getting fixed...
(He also dissed openSUSE as we were not yet out with the fix at the time of the article.)
Ciao, Marcus
On Fri, Nov 27, 2020 at 08:02:02AM +0100, Mark Stopka wrote:
It's in German and behind something that seems to be a pay-wall, anybody could do a simple Google Translate for us non-german speakers? -- Best regards / S pozdravem, BSc. Mark Stopka, BBA
mobile: +420 704 373 561
On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <meissner@suse.de> wrote:
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
Artikel auf Golem.de lesen:
Hmmmm, we got "bad press" (German language) about a security issue. (link above).
I only now got back mod/admin rights to this list.
We meanwhile have released raptor updates.
If something does not have a CVE, it is quite hard for anyone to track, so if there are security issues, CVE assignment should be pursued so everyone can handle it:/
Ciao, Marcus
Am 27.11.2020 um 08:12 schrieb Marcus Meissner:
(He also dissed openSUSE as we were not yet out with the fix at the time of the article.)
I wouldn't call it being dissed. He just listed the distros and mentioned that there wasn't a fix at the time of writing the article. But while we're at it. Are older releases of openSUSE not affected? I've only found security announces for that fix for openSUSE 15.1 while e.g. Ubuntu's list of patches goes back to Ubuntu 16.04. Cheers, Lothar
Am 27.11.2020 um 08:12 schrieb Marcus Meissner:
(He also dissed openSUSE as we were not yet out with the fix at the time of
In data venerdì 27 novembre 2020 08:44:49 CET, Lothar Kimmeringer ha scritto: the article.)
I wouldn't call it being dissed. He just listed the distros and mentioned that there wasn't a fix at the time of writing the article.
But while we're at it. Are older releases of openSUSE not affected? I've only found security announces for that fix for openSUSE 15.1 while e.g. Ubuntu's list of patches goes back to Ubuntu 16.04.
Cheers, Lothar _______________________________________________
It was the only distribution singled out for "not having a fix even now". So I call that bad press. Patches AFAIK are only release to products that are not EOL. I do not expect security relevant fixes to be released for e.g. 42.3 and to be honest, if we would be already in February 2021 I would not expect such a patch to be provided to 15.1 either...
On 27/11/2020 08.02, Mark Stopka wrote:
It's in German and behind something that seems to be a pay-wall, anybody could do a simple Google Translate for us non-german speakers?
You can use <https://www.deepl.com/translator> to translate some languages at much better quality than Google Translate. Unfortunately it does not translate web pages, you have to copy-paste the text. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
participants (5)
-
Carlos E. R. -
Lothar Kimmeringer -
Marcus Meissner -
Mark Stopka -
Stakanov