Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] iptables - version on suse cd
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Tue, 10 Sep 2002 10:27:37 +0100 (BST)
  • Message-id: <Pine.OSF.4.44.0209101015470.454-100000@xxxxxxxxxxxxxxxxxxxxx>

This is an example of one of the most frequently asked questions
on the list. The question goes "why haven't SuSE upgraded to version y of
a product, because version x has security holes?".

The reason for the confusion is a subtle paradox and quite understandable.
If you as an individual are using a package for your own use and you hear
about a security hole then your natural course may well be to upgrade to
the latest version, because you get the latest bug fixes and nice shiny
new features as well as fixing the security hole. Occasionally you will
find there is some incompatibility with the old version so you do a bit of
work sorting this out.

If you are SuSE maintaining the package on behalf of lots and lots of
customers with lots of different configurations then the situation is very
different. If a small proportion of your customers hit problems because of
incompatibilities then that is very bad news. They may not have the
expertise to solve the problems, but they need to fix the security hole
fast. So for SuSE the best solution is to take the old package and make
the minimum number of changes needed to fix the security hole.
Occasionally there are so many holes this is impossible but generally this
is the right thing to do.


On Tue, 10 Sep 2002, ic_admin wrote:

> Hi List,
> just a question concerning iptables v 1.2.2 shipped with SuSE7.3 :
> Is it OK to install this version? I saw there are newer versions
> available at but in the SuSE-Update-Download-section no
> update is available. Are the bugs not security-related?
> Thanks for help and/or furthermore infos, links etc
> Regards
> Ruediger
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here

Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
Phone: +44 1784 443691

< Previous Next >
Follow Ups