[opensuse] Question re security updates (shibboleth-sp)
Wondering how security updates are handled at the tail of an active cycle. The immediate concern, shibboleth-sp has a security issue in the current package. Looking at software.opensuse.com (hoping there'd be some updated package for opensuse there) I see that Tumbleweed and SLES variants, as well as the (beta) of 15 have updates. More surprisingly openSUSE 12.3 has an update (this seems to be the work of the Shibboleth people). But no package update for Leap. I'd guess this is because 15 is due out in May, but this seems a long time to me. Is there a policy that governs this? Thansk -- __________________________________________________________________________ Josef Fortier Systems Administrator fortier@augsburg.edu Phone: 612-330-1479 __________________________________________________________________________ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-04-12 20:24, Josef Fortier wrote:
Wondering how security updates are handled at the tail of an active cycle. The immediate concern, shibboleth-sp has a security issue in the current package. Looking at software.opensuse.com (hoping there'd be some updated package for opensuse there) I see that Tumbleweed and SLES variants, as well as the (beta) of 15 have updates. More surprisingly openSUSE 12.3 has an update (this seems to be the work of the Shibboleth people). But no package update for Leap. I'd guess this is because 15 is due out in May, but this seems a long time to me. Is there a policy that governs this?
The general policy is that packages do not get a package update during the lifetime of the release. Instead packages get backported patches for whatever security issues arise. You have to peruse the announcements to see if the particular security issue is covered. Try "man zypper", then seek "CVE". -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Apr 12, 2018 at 01:24:41PM -0500, Josef Fortier wrote:
Wondering how security updates are handled at the tail of an active cycle. The immediate concern, shibboleth-sp has a security issue in the current package. Looking at software.opensuse.com (hoping there'd be some updated package for opensuse there) I see that Tumbleweed and SLES variants, as well as the (beta) of 15 have updates. More surprisingly openSUSE 12.3 has an update (this seems to be the work of the Shibboleth people). But no package update for Leap. I'd guess this is because 15 is due out in May, but this seems a long time to me. Is there a policy that governs this?
Do you have CVE ids. We backport fixes to older versions as said, and Leap 42.3 should inherit it from the SLES 12 codebase. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R. -
Josef Fortier -
Marcus Meissner