Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Request to SuSE
  • From: Peter Nixon <nix@xxxxxxxxxxxxxxxx>
  • Date: Wed, 13 Feb 2002 16:50:53 +0200
  • Message-id: <20020213165053.01564f67.nix@xxxxxxxxxxxxxxxx>
Hi Guys.

I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence). Now of course I run _plenty_ of filters and everything is reasonably manageable, however as I am in the nice position that _every_ single piece of infrastructure I have under my control (with the exception of my routers, Sat Equipment, Load Balancers and 1 of my firewall levels) is SuSE Linux. To put it another way, every listening port on my network is on a SuSE box. Now I may be at the far end of the scale regarding SuSE's customers in this regard, but it would be very usefull to me if I only _had_ to keep track of one mailing list to know if I have to disable some service or other until a fix comes out.

Now, I know that this is not too much extra work because invariably whenever something new hits BugTraq that affects SuSE, a question gets sent to SuSE-Security to ask if this affects SuSE or not.

Take the current outstanding issue with ucsnmpd for instance. The question has already been asked (and answered by Roman) as to whether SuSE is vulnerable or not. So as the time was take by Roman to do this, (and say that there is an update pending) i think this info should be sent to an announcement list as a matter of course as soon as an issue breaks (If SuSE already has a patch ready due to coordination with other vendors etc, then it becomes unnecessary)

As it was I had already read about the SNMPD problem (and disabled it on servers where it could conceviably cause a problem) on 4 other mailing lists before the response from Roman.

As far as I'm concerned, the speed of _notification_ is more important than the speed at which a patch is released. I am quite comfortable disabling a service for days if necessary if I know there is a problem coming. Unfortunately to have this choice I currently have to wade through BugTraq etc every morning rather than just keeping an eye on a single low traffic SuSE maillist and leaving my bugtraq reading until lunchtime/weekends etc..

This idea is obviously of less use to people who run more hetrogenous networks than I do, but as I'm sure SuSE would love to have more companies in my situation, this is something that should be looked at.

Any comments?

--
Viel SpaƟ

Peter Nixon - nix@xxxxxxxxxxxxxxxx
SuSE Security FAQ Maintainer
http://www.susesecurity.com/faq/

"If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."

< Previous Next >