KDE 3.1.4 and YOU security upgrades
Hi All. Stupid question time. I'm using SuSE 8.2 PRO KDE (stayed at original version, 3.1.3 seemed too buggy from mail on this list) and Yast online update. Now I thought Yast Online update was supposed to let me know about security upgrades. KDE 3.1.4's upgrade _is_ a security upgrade according to the traffic on this list. YOU on my machine is not saying boo about KDE 3.1.4. I have gotten a boatload of other security upgrades. Makes me wonder what else I might have missed waiting for the red ball in my tray. Anyone care to enlighten me as to why no red ball ? Thanks Charlie
On Thursday 25 September 2003 22:12, Charles Kunce wrote:
Hi All.
Stupid question time. I'm using SuSE 8.2 PRO KDE (stayed at original version, 3.1.3 seemed too buggy from mail on this list) and Yast online update. Now I thought Yast Online update was supposed to let me know about security upgrades. KDE 3.1.4's upgrade _is_ a security upgrade according to the traffic on this list. YOU on my machine is not saying boo about KDE 3.1.4. I have gotten a boatload of other security upgrades. Makes me wonder what else I might have missed waiting for the red ball in my tray.
There is a new openssh update (yes another one, number 3 in order, 3.7.1p2), that haven't been issued from SuSE. There are bugs in mySQL, apache and php that haven't been addressed, as far as I know
* Anders Johansson (andjoh@rydsbo.net) [030925 13:21]:
There is a new openssh update (yes another one, number 3 in order, 3.7.1p2),
Do you mean this one? http://www.openssh.com/txt/sshpam.adv -- -ckm
On Thursday 25 September 2003 23:07, Christopher Mahmood wrote:
* Anders Johansson (andjoh@rydsbo.net) [030925 13:21]:
There is a new openssh update (yes another one, number 3 in order, 3.7.1p2),
Do you mean this one? http://www.openssh.com/txt/sshpam.adv
Yeah, but it occurred to me after I sent it that SuSE is still at 3.5, so shouldn't be affected
* Anders Johansson (andjoh@rydsbo.net) [030925 14:23]:
On Thursday 25 September 2003 23:07, Christopher Mahmood wrote:
* Anders Johansson (andjoh@rydsbo.net) [030925 13:21]:
There is a new openssh update (yes another one, number 3 in order, 3.7.1p2),
Do you mean this one? http://www.openssh.com/txt/sshpam.adv
Yeah, but it occurred to me after I sent it that SuSE is still at 3.5, so shouldn't be affected
Yes, http://lists.suse.com/archive/suse-security/2003-Sep/0259.html -- -ckm
* Charles Kunce (ckunce@nycap.rr.com) [030925 13:10]:
KDE 3.1.4's upgrade _is_ a security upgrade according to the traffic on this list.
This list isn't authoritative as to what constitutes a security update, suse-security-announce@suse.com is. The problem (http://www.securitytracker.com/alerts/2003/Sep/1007721.html) only affects you if you are using pam_krb5 which you probably aren't (you'd know if you were). These sorts of questions are best asked on suse-security@suse.com (and were, see http://lists.suse.com/archive/suse-security/2003-Sep/0210.html) since no one from the security reads this list. If you'd like to contact the security team directly about these sorts of issues you can reach them at security@suse.com. Anything released in ftp.suse.com/pub/suse/supplementary/, /pub/people, or anything else outside of the /pub/suse/<arch>/update is an unofficial, unsigned, unsupported, and probably experimental update that's not intended "casual" use. If these kde packages were security updates they would there and marked as such in YOU. -- -ckm
OK, then basically, I don't have to worry about it since I don't use pam_krb5 and SuSE has put out a version of 3.1.4 I can use _if_ I want to: caveat emptor. Thanks for the response, I was afraid I might have munged something accidentally. Still getting used to SuSE. --- Charlie On Thursday 25 September 2003 16:38, Christopher Mahmood wrote:
* Charles Kunce (ckunce@nycap.rr.com) [030925 13:10]:
KDE 3.1.4's upgrade _is_ a security upgrade according to the traffic on this list.
This list isn't authoritative as to what constitutes a security update, suse-security-announce@suse.com is. The problem (http://www.securitytracker.com/alerts/2003/Sep/1007721.html) only affects you if you are using pam_krb5 which you probably aren't (you'd know if you were).
These sorts of questions are best asked on suse-security@suse.com (and were, see http://lists.suse.com/archive/suse-security/2003-Sep/0210.html) since no one from the security reads this list. If you'd like to contact the security team directly about these sorts of issues you can reach them at security@suse.com.
Anything released in ftp.suse.com/pub/suse/supplementary/, /pub/people, or anything else outside of the /pub/suse/<arch>/update is an unofficial, unsigned, unsupported, and probably experimental update that's not intended "casual" use. If these kde packages were security updates they would there and marked as such in YOU.
--
-ckm
* Charles Kunce (ckunce@nycap.rr.com) [030925 15:21]:
OK, then basically, I don't have to worry about it since I don't use pam_krb5 and SuSE has put out a version of 3.1.4 I can use _if_ I want to: caveat emptor.
Thanks for the response, I was afraid I might have munged something accidentally. Still getting used to SuSE.
Well, after I installed the qt3-3.2.1 pkg that cropped in the middle of the night (PST time) ..3.1.4 works fine. I usually don't have much trouble with KDE upgrades. It's just that 3.1.3 was missing kscd and the kio audio stuff in the 3rd build of 3.1.3. That's what cheesed me off. Now that all the packages are up on the ftp site I've had no issues. It works. It was just kinda painful with 3.1.3 and 3.1.4 until this morning. The ONLY thing that broke is that I use thinkeramik (kde) and thingeramik (gtk) so my apps look the same..this ISN'T a big deal though because QtCurve works fine in this setup. As far as the rest..haven't seen an issue yet. -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org ----- If two men agree on everything, you can be sure that only one of them is doing the thinking.
* Charles Kunce (ckunce@nycap.rr.com) [030925 15:20]:
OK, then basically, I don't have to worry about it since I don't use pam_krb5
Well, I'm not authoritative either but the link I posted was from Roman Drahtmueller, head of the security team, who is. So yes, unless you're using kerberos and aren't worried about local users brute forcing the session keys (see http://www.kde.org/info/security/advisory-20030916-1.txt) then it's not a problem.
and SuSE has put out a version of 3.1.4 I can use _if_ I want to: caveat emptor.
I don't know about the emptor part, but yes. As I said, these aren't official packages and are mainly for testing. -- -ckm
participants (4)
-
Anders Johansson -
Ben Rosenberg -
Charles Kunce -
Christopher Mahmood