[opensuse-security] Updates for 9.3
Hi all. Novell announced that 9.3 updates end on 2007-04-15 and that a last kernel update will be available at the end of 2007-04. Any news on this? (Today's "SUSE Security Summary Report" did not mention this issue.) Greetings Sven
On Fri, Apr 27, 2007 at 03:31:54PM +0200, Sven.Hartrumpf@FernUni-Hagen.de wrote:
Hi all.
Novell announced that 9.3 updates end on 2007-04-15 and that a last kernel update will be available at the end of 2007-04. Any news on this? (Today's "SUSE Security Summary Report" did not mention this issue.)
Taking in new bugs for 9.3 stopped at 15th. The idea was to bring out all the running incidents untl 30th. There likely will not be a kernel update for 9.3 anymore. Is there a specific problem you need to have fixed? Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello again. Fri, 27 Apr 2007 22:53:57 +0200, meissner wrote:
Taking in new bugs for 9.3 stopped at 15th. The idea was to bring out all the running incidents until 30th.
Yes.
There likely will not be a kernel update for 9.3 anymore.
That surprises me. The latest kernel for SUSE 9.3 is 2.6.11.4-21.15-default, from 2006-11-28. Here are some kernel related CVEs which are not mentioned in any security updates for SUSE 9.3: 2006: CVE-2006-6057 CVE-2006-6058 CVE-2006-6921 CVE-2006-7051 2007: CVE-2007-0005 CVE-2007-0772 CVE-2007-0958 CVE-2007-1000 CVE-2007-1217 CVE-2007-1357 CVE-2007-1388 CVE-2007-1496 CVE-2007-1497 CVE-2007-1592 CVE-2007-1730 CVE-2007-1734 CVE-2007-2172 I apologize if I listed some fixed or irrelevant ones. Greetings Sven
On Sat, Apr 28, 2007 at 12:04:09AM +0200, Sven.Hartrumpf@FernUni-Hagen.de wrote:
Hello again.
Fri, 27 Apr 2007 22:53:57 +0200, meissner wrote:
Taking in new bugs for 9.3 stopped at 15th. The idea was to bring out all the running incidents until 30th.
Yes.
There likely will not be a kernel update for 9.3 anymore.
That surprises me. The latest kernel for SUSE 9.3 is 2.6.11.4-21.15-default, from 2006-11-28. Here are some kernel related CVEs which are not mentioned in any security updates for SUSE 9.3:
Lets review them briefly:
2006: CVE-2006-6057 Only when using the gfs2 fs, which we do not in 9.3.
-> No need to fix for 9.3
CVE-2006-6058 minix. Not really used anymore and a pretty hard to fix condition (due to the fs design). Also requires an image to be supplied.
We decided not to fix it. -> Will not be fixed for 9.3
CVE-2006-6921
So far no patch for this has been forthcoming from the kernel community and it does not seem to be taken as critical issue. -> WIll not be fixed for 9.3
CVE-2006-7051 Local dos by resource exhaustion / memory consumption.
Quite hard to fix and only a minor issue. Memory can be exhausted in lots of ways. -> Will not be fixed for 9.3
2007: CVE-2007-0005 Requires the omnikey cardman driver to be loaded and the device accessible to the exploiting local user.
-> Not yet clear if we will fix it for 9.3
CVE-2007-0772
SUSE Linux 9.3 did not contain the NFS2 ACL code exploited here. -> No need to fix for 9.3.
CVE-2007-0958 Minor issue, deep within the ELF loader code. Quite hard to backport and not cause breakage.
Fixed in mainline kernel for newer products. -> Will not be fixed in 9.3.
CVE-2007-1000
The bug does not affect the kernel in 9.3 (the buggy code is not there). -> No need to fix for 9.3.
CVE-2007-1217
Perhaps to be fixed for 9.3, but requires CAPI access. -> Status unclear
CVE-2007-1357
Needs AppleTalk protocol loaded, local network crash. -> Will be fixed for 9.3.
CVE-2007-1388
Code is not affected in SUSE Linux 9.3. -> No need to be fixed for 9.3.
CVE-2007-1496
Not known to us yet, evaluating. Looks minor.
CVE-2007-1497
Not known to us yet, evaluating. (Perhaps 9.3 is not affected.)
CVE-2007-1592
-> Will be fixed for 9.3.
CVE-2007-1730
2.6.20 and later kernels only. -> No need to be fixed for 9.3.
CVE-2007-1734
2.6.20 and later kernels only. -> No need to be fixed for 9.3.
CVE-2007-2172
I think this is a non-issue. RTA_MAX is larger than RTN_MAX, so this could not have any effect. And any potential "out of bounds access" would be - read/only to const memory -> no kernel information leak - with an index of "unsigned char", so at maximum 255 elements The CVE description is incorrect I guess.
I apologize if I listed some fixed or irrelevant ones.
See above. Some minor problems we will not fix. You missed CVE-2006-5753 which we will fix. After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Wed, 2 May 2007 11:02:58 +0200, meissner wrote: [... a review of CVEs discussed for SUSE 9.3]
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Marcus, thanks for the thorough review! Looking forward to this kernel update. Ciao Sven
Marcus Meissner wrote:
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Ciao, Marcus
Very good news and many thanks for that. I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n. Ciao Marco! --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Wed, May 02, 2007 at 05:39:44PM +0200, Marco Maske wrote:
Marcus Meissner wrote:
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Ciao, Marcus
Very good news and many thanks for that.
I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n.
We still do the (open)SUSEs in Nuernberg ;) (Just some more colleagues helping.) As for productivity, openSUSE 10.2, no ZMD (but opensuseupdater + YOU), no beagle ... and it is nicely working. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello Marcus,
Marcus Meissner wrote:
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Ciao, Marcus
Very good news and many thanks for that.
I would like to admit.
I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n.
As for productivity, openSUSE 10.2, no ZMD (but opensuseupdater + YOU), no beagle ... and it is nicely working.
Do you know about any recipe for SLES10? I am working with ZMD/rug there for automated updates for several months and I _hate_ those programs now... Joe -- ----------------------------------- Joachim Schoenberg Paul-Drude-Institut for Solid State Electronics, Berlin ----------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, May 03, 2007 at 09:59:42AM +0200, Joachim Schoenberg wrote:
Hello Marcus,
Marcus Meissner wrote:
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Ciao, Marcus
Very good news and many thanks for that.
I would like to admit.
I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n.
As for productivity, openSUSE 10.2, no ZMD (but opensuseupdater + YOU), no beagle ... and it is nicely working.
Do you know about any recipe for SLES10? I am working with ZMD/rug there for automated updates for several months and I _hate_ those programs now...
Yast Online Update will work fine there.... But I doubt this helps you. SLE10 SP1 (out in a month or so) will bring the 10.2+ updatestack, including the commandline "zypper". (No opensuseupdater though, but you can recompile the one from 10.2) Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote:
On Wed, May 02, 2007 at 05:39:44PM +0200, Marco Maske wrote:
I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n.
We still do the (open)SUSEs in Nuernberg ;) (Just some more colleagues helping.)
Nice to hear that. :-) I thought most (open)SUSE developing is done in USA. (For changing to SuSE I gave 3 reasons to friends: Security, Made in Germany, the fine handbooks)
As for productivity, openSUSE 10.2, no ZMD (but opensuseupdater + YOU), no beagle ... and it is nicely working.
I did so on my i386 testing box and will install openSUSE 10.3 on a Think Pad Laptop. But my 9.3 workstation stays untouched, till the hardware breaks. sorry, becomes OT here Ciao Marco! --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marco Maske escribió:
Marcus Meissner wrote:
After reviewing the issues I have decided to issue a final roll-up kernel update for 9.3 in the next days.
Ciao, Marcus
Very good news and many thanks for that.
I love the 9.3 x86-64 (AFAIK the last SuSE made in Nuernberg ;-) and can't productive work with the Novel SUSE 10.n.
9.3 was probably the best SUSE release I ever used. however 10.2 works fine too and 10.3 is looking promising ;-)
participants (5)
-
Cristian Rodriguez R. -
Joachim Schoenberg -
Marco Maske -
Marcus Meissner -
Sven.Hartrumpf@FernUni-Hagen.de