openSUSE Users November 2016

users@lists.opensuse.org

82 participants
124 discussions

[opensuse] Re: [opensuse-security] Linux Kernel Vulnerabliltiy and OpenSuSE 13.2

by Marcus Meissner

On Thu, Oct 27, 2016 at 02:31:20PM +0000, Robert Sichler wrote: > Should I expect a patch for OpenSUSE 13.2 (x86_64) to address the Linux kernel vulnerability known as Dirty COW (CVE-2016-5195)? > Or is there another direction I should turn? > Best regards, > -Bob What makes you think it is not available? Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse+owner(a)opensuse.org

5 years, 7 months

[opensuse] Re: [opensuse-factory] suse 13.2: uncredited source used in shadowutils: where from?

by Marcus Meissner

On Wed, Nov 02, 2016 at 08:22:37AM +0100, Axel Braun wrote: > Am Dienstag, 1. November 2016, 18:26:50 schrieb L. A. Walsh: > > I was trying to figure out a behavior/feature in shadowutils and > > whether it came from the package maintainers, or was an > > OpenSuse addition as wanted to know where the scripts: > > > > "useradd.local" and "groupadd.local" > > > > came from. > > > > I wanted to report one or more problems affecting both > > scripts and didn't know if it should be reported to the package > > "owners"[?] or opensuse. > > > > I installed the source rpm for "shadowutils-4.1.5" and then > > thought it might be as fast or faster to look at the sources > > from the package URL citing http://pkg-shadow.alioth.debian.org/ . > > > > On the site, I see the latest tars being 4.1.4, 4.2, and 4.2.1. > > > > I see no listing for the tarball used by OpenSUSE, neither 4.1.5.1 > > nor 4.1.5. > > I did not find a package called shadowutils on OBS, so I doubt it is openSUSE > Standard - where did you get it from The package is called "shadow". The sources were downloaded at one point in time from above site. I am now adding GPG key verification to the package too. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse+owner(a)opensuse.org

5 years, 7 months

[opensuse] suse 13.2: uncredited source used in shadowutils: where from?

by L. A. Walsh

I was trying to figure out a behavior/feature in shadowutils and whether it came from the package maintainers, or was an OpenSuse addition as wanted to know where the scripts: "useradd.local" and "groupadd.local" came from. I wanted to report one or more problems affecting both scripts and didn't know if it should be reported to the package "owners"[?] or opensuse. I installed the source rpm for "shadowutils-4.1.5" and then thought it might be as fast or faster to look at the sources from the package URL citing http://pkg-shadow.alioth.debian.org/ . On the site, I see the latest tars being 4.1.4, 4.2, and 4.2.1. I see no listing for the tarball used by OpenSUSE, neither 4.1.5.1 nor 4.1.5. I'm wondering where these packages came from (as well as wondering how 4.1.5 was "listed as being from the "alioth" source server when the source server has no such tar. It may be no big deal, but usually when I see a URL where the source tar is supposed to be from, it's usually verifiable as being there and, for the times I've checked, is usually the same tarball. In this case, taking a security-minded stance, I can't check any signature or checksum to verify that the tarball used to create opensuse binaries was from the attributed website. I'm sure there's some good explanation, but isn't this something that shouldn't happen for released software? Where *DID*, 4.1.5 (and 4.1.5.1) come from -- are they opensuse created versions? Should opensuse be creating versions of packages that are easily confused with the version numbers used on the original site? I.e. normally, I see something like 4.1.4_2.37, where the part after the "_" is some suse-specific/internal version. If the package owners didn't created the source for suse's package, who did? While I might have some belief in the security of the package on the package's source site, what is known about the 4.1.5.1 or 4.1.5 packages? Could they have a malware or a rootkit embedded -- since they aren't easily verified for content as they didn't come from the official source for this package... ??? Thanks... -l -- To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse+owner(a)opensuse.org

5 years, 7 months

[opensuse] Why is DISPLAYMANAGER_SHUTDOWN="root" ignored?

by Josef Wolf

Hello, I have DISPLAYMANAGER_SHUTDOWN="root" set in /etc/sysconfig/displaymanager But this setting seems to be ignored. Non-privileged users can still shutdown by choosing "shutdown" from their KDE menu. Why is this? BTW: this is opensuse Leap 42.1 -- Josef Wolf jw(a)raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse+owner(a)opensuse.org

5 years, 7 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

1995

1994

1993

1992

openSUSE Users November 2016