[opensuse] Sufficiently patched OpenSUSE?
Hi guys I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software. Examples (scanning performed some weeks ago) Version source : X-Powered-By: PHP/5.5.14 Installed version : 5.5.14 Fixed version : 5.5.38 Source : Server: Apache/2.4.23 Installed version : 2.4.23 Fixed version : 2.4.27 As of today the installed rpm's are: me@server:~> rpm -qa | egrep "apache2-2|php5-5" apache2-mod_php5-5.5.14-77.12.1.x86_64 php5-5.5.14-77.12.1.x86_64 apache2-2.4.23-8.12.1.x86_64 I can verify that the rpms on my system is grabbed from updates and build on 21. September 2017. How or where do I find information so I can convince my security officer that relevant security patches has been backported and are installed on my system. -- Regards Klaus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Check by version string is completely meaningless as security patches are commonly backported. You need to request CVE numbers that are reported and check whether these CVE are fixed; either they are explicitly mentioned in changelog or https://www.suse.com/de-de/security/cve/ would be starting point. On Thu, Oct 5, 2017 at 10:32 AM, Klaus Vink Slott <list-s@vink-slott.dk> wrote:
Hi guys
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software.
Examples (scanning performed some weeks ago) Version source : X-Powered-By: PHP/5.5.14 Installed version : 5.5.14 Fixed version : 5.5.38
Source : Server: Apache/2.4.23 Installed version : 2.4.23 Fixed version : 2.4.27
As of today the installed rpm's are: me@server:~> rpm -qa | egrep "apache2-2|php5-5" apache2-mod_php5-5.5.14-77.12.1.x86_64 php5-5.5.14-77.12.1.x86_64 apache2-2.4.23-8.12.1.x86_64
I can verify that the rpms on my system is grabbed from updates and build on 21. September 2017. How or where do I find information so I can convince my security officer that relevant security patches has been backported and are installed on my system.
-- Regards Klaus
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I did know that the external version string did say nothing, and that patches is back ported. The link to Published SUSE Linux security updates is just what I needed to demonstrate they are wrong. Thanks! -- Regards Klaus Den 05-10-2017 kl. 11:00 skrev Andrei Borzenkov:
Check by version string is completely meaningless as security patches are commonly backported. You need to request CVE numbers that are reported and check whether these CVE are fixed; either they are explicitly mentioned in changelog or https://www.suse.com/de-de/security/cve/ would be starting point.
On Thu, Oct 5, 2017 at 10:32 AM, Klaus Vink Slott <list-s@vink-slott.dk> wrote:
Hi guys
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software. ...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2017 09:32, Klaus Vink Slott wrote:
Hi guys
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software.
Examples (scanning performed some weeks ago) Version source : X-Powered-By: PHP/5.5.14 Installed version : 5.5.14 Fixed version : 5.5.38
Source : Server: Apache/2.4.23 Installed version : 2.4.23 Fixed version : 2.4.27
As of today the installed rpm's are: me@server:~> rpm -qa | egrep "apache2-2|php5-5" apache2-mod_php5-5.5.14-77.12.1.x86_64 php5-5.5.14-77.12.1.x86_64 apache2-2.4.23-8.12.1.x86_64
I can verify that the rpms on my system is grabbed from updates and build on 21. September 2017. How or where do I find information so I can convince my security officer that relevant security patches has been backported and are installed on my system.
The relevant information is contained in the rpm changelog. To query this use, for instance apache2 "rpm -q --changelog apache2|less" The use of less is needed due to the long history. The changes have a record of every CVE fixed and the openSUSE bug reference - boo#bugnumber. Regards Dave P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05-10-2017 kl. 11:16 Dave Plater wrote:
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software. The relevant information is contained in the rpm changelog. To query this use, for instance apache2 "rpm -q --changelog apache2|less" The use of less is needed due to the long history. The changes have a record of every CVE fixed and the openSUSE bug reference - boo#bugnumber.
Thanks Dave, that is even better as I can simply grep on the CVE numbers they claim a to be vulnerabilities on my system. Like: me@server:~> rpm -q --changelog apache2|grep CVE-2017-9788 * CVE-2017-9788 [bsc#1048576] + apache2-CVE-2017-9788.patch Nice :-) -- Regards Klaus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-10-05 09:32, Klaus Vink Slott wrote:
Hi guys
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software.
SuSE and SUSE and openSUSE policy has been since probably ever to _not_ update the version numbers of packages in the released versions, because then other packages could fail - ie, integration problems with not tested versions. Instead, patches are backported. Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 05-10-2017 15:22, Carlos E. R. wrote:
On 2017-10-05 09:32, Klaus Vink Slott wrote:
Hi guys
I need a little help here: Based on a scanning from the national CERT my security officer claims that I am running outdated software.
...
Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it.
You would surprised if you knew what we have to deal with in an big organization like ours (University of Copenhagen). Actually the security guy is alright but not with a deep technical background. I am a bit more disturbed about the Danish CERT forcing us to respond to useless "security report" like the mentioned. The report simply stated the returned version string and listed all the CVE's between that and the current version. -- Regards Klaus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/05/2017 06:22 AM, Carlos E. R. wrote:
Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it.
Why should they know this piece of trivia on a "Community" Linux version that is experiencing decreasing market share year by year? Version numbers exist for a reason. Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work. Backward compatibility works in the vast majority of cases until or unless you run into major version issues. (QT4-->QT5). And THOSE are better handled by package systems than fudging version numbers. I'm not aware of any other distro that does it the Opensuse way. And it means a huge paper chase just to check if a patch has been applied. If Opensuse is moving toward a rolling release, this practice has to stop, and a more sane and standardized approach has to be taken. The world can't be expected to keep track of the idiosyncrasies of each linux distro. -- After all is said and done, more is said than done.
On 2017-10-06 21:14, John Andersen wrote:
On 10/05/2017 06:22 AM, Carlos E. R. wrote:
Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it.
Why should they know this piece of trivia on a "Community" Linux version that is experiencing decreasing market share year by year?
Because it has been the published strategy for *decades*?
Version numbers exist for a reason.
Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work.
No way.
Backward compatibility works in the vast majority of cases until or unless you run into major version issues. (QT4-->QT5). And THOSE are better handled by package systems than fudging version numbers.
I'm not aware of any other distro that does it the Opensuse way. And it means a huge paper chase just to check if a patch has been applied.
If Opensuse is moving toward a rolling release, this practice has to stop, and a more sane and standardized approach has to be taken. The world can't be expected to keep track of the idiosyncrasies of each linux distro.
openSUSE _LEAP_ is *not* moving toward a rolling release. Tumbleweed is a rolling release, and there the policy is reversed and packages are updated to the newest package available. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 2017-10-06 at 22:28 +0200, Carlos E. R. wrote:
Version numbers exist for a reason. Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work.
No way.
I was under the impression that pretty much all of the standard enterprise vendors worked this same way? Eg., SLES doesn't change version numbers, but backports the patches into the baseline versions of the packages to minimize the risk of something suddenly blowing up since the requirements can't be met. And since openSuSE is basically the origination for most things SLES, why would we expect anything different? -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE7GM/Dul8WSWn72odQ1nEo4DFCIUFAlnX75UACgkQQ1nEo4DF CIUJuQf/RJ+bgZL2LVHpWBCb3cNIHn4xFmZJcUYlOB8ECRQO2uvrRqhDUdp9G+wm 95M2qGYHz2k3/Q2o6Kbk4x5ZWKkF1jss7OCVDvmB9RRNtQ0t0Mt1NaZPQX9K7nNl IL88i7Z5TO+26iwGME78amvmTK88mHVXktDfo0URSYzEmOLIKP0S3+KPIknJCXc1 fHyOVSmj5X1Xph8KoAw5l11+iWG40TXlRqLAKtyOWye7klaiE+LihLZZdi4nFmN3 yeMqDpbeco6DfpnqRoCkmwHsvMrvpIUy69YqhT/AGIxm+00lXATsP4t72z/i0YC/ 1ZfKDTsQOmzLvvoAVO6RHHM2cVgLyw== =dJG2 -----END PGP SIGNATURE----- N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
On 2017-10-06 23:03, Christopher Myers wrote:
On Fri, 2017-10-06 at 22:28 +0200, Carlos E. R. wrote:
Version numbers exist for a reason. Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work.
No way.
I was under the impression that pretty much all of the standard enterprise vendors worked this same way? Eg., SLES doesn't change version numbers, but backports the patches into the baseline versions of the packages to minimize the risk of something suddenly blowing up since the requirements can't be met. And since openSuSE is basically the origination for most things SLES, why would we expect anything different?
Exactly. Not only SLES and Leap, but the previous SuSE/Novell/SUSE stable versions did the same. For decades: the 1990's, the 2000's, the 2010's... nothing new here. Only Factory, now Tumbleweed, works differently. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Op vrijdag 6 oktober 2017 21:14:02 CEST schreef John Andersen:
On 10/05/2017 06:22 AM, Carlos E. R. wrote:
Any security "scanning" based on packages release versions on openSUSE is absurd, and your security officer should know it.
Why should they know this piece of trivia on a "Community" Linux version that is experiencing decreasing market share year by year?
Version numbers exist for a reason.
Opensuse's method of patching but leaving the number the same is just lazy (and dangerous). They should be applying community pressure to those packages that use EQUAL in their dependencies rather than GREATER OR EQUAL unless there is a clearly demonstrated reason that can't possibly work.
Backward compatibility works in the vast majority of cases until or unless you run into major version issues. (QT4-->QT5). And THOSE are better handled by package systems than fudging version numbers.
I'm not aware of any other distro that does it the Opensuse way. And it means a huge paper chase just to check if a patch has been applied.
If Opensuse is moving toward a rolling release, this practice has to stop, and a more sane and standardized approach has to be taken. The world can't be expected to keep track of the idiosyncrasies of each linux distro.
Please learn to write "openSUSE". That's the name of the distro. For the rest: read about the phenomenon of backporting, Plus, John,. you do not have to run openSUSE. Why should you if the people building it do it all wrong. -- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Andrei Borzenkov -
Carlos E. R. -
Christopher Myers -
Dave Plater -
John Andersen -
Klaus Vink Slott -
Knurpht - Gertjan Lettink