Is there any where to look to see if TW updates include CVE fixes or are just build dep updates?
All, devs, Is there any page suse/openSUSE keeps that can tell us if the updates (upgrades) listed for TW are for security issues? When I just checked for the available updates, they in large part are just different point releases of the same 200 packages I upgraded 3 days ago. It would be helpful to know if the listed updates are security fixes or just point releases for some build dependency that was updated. Is there anywhere to find that information out? I know there is a security list, and that had that type of info on a per package basis (in a bit obscured format), but is that information captured anywhere else that doesn't take subscribing to another list or searching backwards through a list-archive? If not -- that would be another helpful addition. -- David C. Rankin, J.D.,P.E.
Hi, https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.or... The entries with "on GA media" like eg. openSUSE-SU-2024:14600-1: moderate: libmozjs-128-0-128.5.1-3.1 on GA media Are the openSUSE Tumbleweed CVE fixes. Ciao, Marcus On Thu, Dec 19, 2024 at 10:46:55PM -0600, David C. Rankin wrote:
All, devs,
Is there any page suse/openSUSE keeps that can tell us if the updates (upgrades) listed for TW are for security issues? When I just checked for the available updates, they in large part are just different point releases of the same 200 packages I upgraded 3 days ago. It would be helpful to know if the listed updates are security fixes or just point releases for some build dependency that was updated.
Is there anywhere to find that information out? I know there is a security list, and that had that type of info on a per package basis (in a bit obscured format), but is that information captured anywhere else that doesn't take subscribing to another list or searching backwards through a list-archive?
If not -- that would be another helpful addition.
-- David C. Rankin, J.D.,P.E.
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
On Fri, Dec 20, 2024 at 10:17 AM Marcus Meissner <meissner@suse.de> wrote:
Hi,
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.or...
Useful information. I my organization, our IT only want to support Windows. They exert more and more control to ensure that only approved software is installed on any system connected to the corporate network, to the point of actively removing any other software. And of course the OS is also managed. In my group we use openSUSE (a mix of Leap and Tumbleweed). The biggest issue IT have is that they say they have no way of knowing if 'all security fixes' are installed. So they never want to allow our machines to be on the company network. We go through endless hoops to make them happy so at least some of our machines are on our network. (Others live behind firewalls that severely limit what they can do in the network outside the firewall.) I understand their concern. But as long as they don't want to educate themselves in anything other than Windows, it will remain a point of contention. We use their Cisco AnyConnect to connect to the VPN. We have installed (on evaluation Tumbleweed systems) Rapid7 Insight and Microsoft Defender, all reporting back to our IT. But they are still suspicious. What I don't have is some way to show which CVE are installed on a system. I know that if one keeps things up-to-date, there is good chance that those in your list will most likely (but not guaranteed) be installed. We do not update our systems wildly. One reason is ensuring that certain classes of them are all the same in terns of installed software. So the information in your list most likely does not apply to the local system. A method to find out which CVE are installed on the current system would be fantastic. And not just that the current install is the one where the CVE was managed. It would also need to be present as long as the solution remains in the installed code. I would think that having this information would help non-Linux IT departments feel better about at least this aspect of Linux. Which might help acceptance of those systems being on the corporate network.
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
-- Roger Oberholtzer
On Fri, Dec 20, 2024 at 1:35 PM Roger Oberholtzer <roger.oberholtzer@gmail.com> wrote:
A method to find out which CVE are installed on the current system would be fantastic. And not just that the current install is the one where the CVE was managed. It would also need to be present as long as the solution remains in the installed code.
For Leap (where you are supposed to use patches) information is in patch metadata. You can search for the specific CVE (zypper lp --cve=...) and you can parse metadata to list all CVEs. You probably can also write a zypper plugin to do it, something like "zypper list-cve". If you are using non-default repositories - see below. For Tumbleweed it is really only rpm -qa --changelog | grep CVE and hope that CVEs are also listed there.
On 12/20/24 3:16 AM, Marcus Meissner wrote:
Hi,
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.or...
The entries with "on GA media" like eg.
openSUSE-SU-2024:14600-1: moderate: libmozjs-128-0-128.5.1-3.1 on GA media
Are the openSUSE Tumbleweed CVE fixes.
Ciao, Marcus
That is excellent! Which brings up a area I need help in. One weakness in my command-line foo is curl. How would I curl that information only going back to the point of last update (and if possible with curl only the "on GA media" items (though a simple pipe to grep can handle that after the curl request). For lookback purposes, I can get the lookback date (close enough) from either: $ sed -n '/^VERSION_ID/s/^[^"]*"\([^"]*\).*$/\1/p' /etc/os-release or $ stat -c %y /etc/os-release (or %Y in timestamp, seconds since epoch form) But then how to tell curl to go get the entries from that time forward? -- David C. Rankin, J.D.,P.E.
On 12/20/24 2:02 PM, David C. Rankin wrote:
But then how to tell curl to go get the entries from that time forward?
Making progress, the site itself in the "Download" link provides a way to bracket the last 30 days, and should be able to substitute in the last update date as the start= date: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/export/security-announce@lists.opensuse.org-2024-11-19-2024-12-21.mbox.gz?start=2024-11-19&end=2024-12-21 -- David C. Rankin, J.D.,P.E.
Hi, I am not sure what you want to achieve. There is also possible to check against OVAL data: $ wget https://ftp.suse.com/pub/projects/security/oval/opensuse.tumbleweed.xml.bz2 $ oscap oval eval --result result.xml --report result.html opensuse.tumbleweed.xml.bz2|grep true Definition oval:org.opensuse.security:def:202229458: true $ this "def:202229458" translates to a CVE (4 digit year, rest id) this will show the still uninstalled updates here its for CVE-2022-29458, although this is a false positive, as "tack" from ncurses6 has a hoever version than tack from ncurses5. :/ similar for opensuse.tumbleweed-affected.xml.bz2 result.html has a nice html report with the "true" (unfixed) entry on top. Ciao, Marcus On Fri, Dec 20, 2024 at 03:10:48PM -0600, David C. Rankin wrote:
On 12/20/24 2:02 PM, David C. Rankin wrote:
But then how to tell curl to go get the entries from that time forward?
Making progress, the site itself in the "Download" link provides a way to bracket the last 30 days, and should be able to substitute in the last update date as the start= date:
-- David C. Rankin, J.D.,P.E.
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg
Hello, In the Message; Subject : Is there any where to look to see if TW updates include CVE fixes or are just build dep updates? Message-ID : <f0cdcd93-9b66-4bb8-bc30-663dce2f1eca@gmail.com> Date & Time: Thu, 19 Dec 2024 22:46:55 -0600 [DCR] == "David C. Rankin" <drankinatty@gmail.com> has written: DCR> All, devs, DCR> Is there any page suse/openSUSE keeps that can tell us if the updates DCR> (upgrades) listed for TW are for security issues? When I just DCR> checked for the available updates, they in large part are just DCR> different point releases of the same 200 packages I upgraded 3 DCR> days ago. It would be helpful to know if the listed updates are DCR> security fixes or just point releases for some build dependency DCR> that was updated. [...] How about Change txt on https://download.opensuse.org/tumbleweed/iso/ Best Regards. --- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. " -- Microsoft overhauls cyber strategy to finally embrace security by default --
On 12-20-2024 03:22AM, Masaru Nomiya wrote:
Hello,
In the Message;
Subject : Is there any where to look to see if TW updates include CVE fixes or are just build dep updates? Message-ID : <f0cdcd93-9b66-4bb8-bc30-663dce2f1eca@gmail.com> Date & Time: Thu, 19 Dec 2024 22:46:55 -0600
[DCR] == "David C. Rankin" <drankinatty@gmail.com> has written:
DCR> All, devs,
DCR> Is there any page suse/openSUSE keeps that can tell us if the updates DCR> (upgrades) listed for TW are for security issues? When I just DCR> checked for the available updates, they in large part are just DCR> different point releases of the same 200 packages I upgraded 3 DCR> days ago. It would be helpful to know if the listed updates are DCR> security fixes or just point releases for some build dependency DCR> that was updated. [...]
How about Change txt on
https://download.opensuse.org/tumbleweed/iso/
Best Regards.
--- ┏━━┓彡 Masaru Nomiya mail-to: nomiya @ lake.dti.ne.jp ┃\/彡 ┗━━┛ "Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. "
-- Microsoft overhauls cyber strategy to finally embrace security by default -- That link is incorrect date, use this one < https://download.opensuse.org/tumbleweed/iso/Changes.20241217.txt -Seasons Hopes🫥
participants (6)
-
-pj -
Andrei Borzenkov -
David C. Rankin -
Marcus Meissner -
Masaru Nomiya -
Roger Oberholtzer