Results 1 to 6 of 6

Thread: 21Nails, and a broader question about security updates in openSUSE

  1. #1

    Default 21Nails, and a broader question about security updates in openSUSE

    Hi All,

    I'm curious about this security issue:
    https://bugzilla.opensuse.org/show_bug.cgi?id=1185631

    In the notes, it says that "server:mail" already has the patched version which is correct. Is that the resolution on this? Update using that repo? Or are they testing the update with Leap and will push out the patch via the standard updates repo?

    This is something that I've noticed with openSUSE compared with other distros. The security updates seem to be generally slower than other distros. For example, this has already been patched in Debian, Centos, etc. Basically every other distro already pushed this patch out to their distro.

    Are security updates in openSUSE slower than other distros? If so, is that because of the amount of testing that openSUSE does or something else? Or am I just way off base here?

    Thanks!

  2. #2
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,132

    Default Re: 21Nails, and a broader question about security updates in openSUSE

    Quote Originally Posted by rootetsy View Post
    I'm curious about this security issue
    Unless you have specifically installed and configured Exim, this has no relevance to you.

    SLES does not ship with it and openSUSE has never used it (as a default) so the impact for majority of the users is nil.
    .: miuku #suse @ irc.freenode.net

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    31,270
    Blog Entries
    15

    Default Re: 21Nails, and a broader question about security updates in openSUSE

    Quote Originally Posted by rootetsy View Post
    Hi All,

    I'm curious about this security issue:
    https://bugzilla.opensuse.org/show_bug.cgi?id=1185631

    In the notes, it says that "server:mail" already has the patched version which is correct. Is that the resolution on this? Update using that repo? Or are they testing the update with Leap and will push out the patch via the standard updates repo?

    This is something that I've noticed with openSUSE compared with other distros. The security updates seem to be generally slower than other distros. For example, this has already been patched in Debian, Centos, etc. Basically every other distro already pushed this patch out to their distro.

    Are security updates in openSUSE slower than other distros? If so, is that because of the amount of testing that openSUSE does or something else? Or am I just way off base here?

    Thanks!
    Hi
    Likely backporting the fixes to the 4.88 version... the newer version is already submitted to Tumbleweed because that's how it rolls. The incident has been classed as moderate...
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4

    Default Re: 21Nails, and a broader question about security updates in openSUSE

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Likely backporting the fixes to the 4.88 version... the newer version is already submitted to Tumbleweed because that's how it rolls. The incident has been classed as moderate...
    Thanks Malcolm! I suspected it might be something like that. I'm not running Exim on openSUSE but I do on some other servers I manage which is why I was looking at it at all.

    I really like openSUSE and I've been thinking of switching some of my servers over to it and so I was just using this as an example to get some info on how security updates in openSUSE work. It seems to me that security updates in openSUSE are a little slower than other distros. And if I was running Exim on openSUSE, I would be concerned right now. Debian Stretch is probably the closest to Leap in regards to Exim versions used and they already had these patched and released this morning when I first checked it out.

    Obviously, the openSUSE team is working on that too and it's not a huge issue. I just noticed that it almost always seems that openSUSE is one of the last to get these kinds of security updates. That had me wondering why. Is it because of lack of resources, extensive testing, or something else? Or am I totally wrong about this perception?
    Also, I just want to say that there is nothing negative about this post. I'm just curious about the process.

  5. #5
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    31,270
    Blog Entries
    15

    Default Re: 21Nails, and a broader question about security updates in openSUSE

    Quote Originally Posted by rootetsy View Post
    Thanks Malcolm! I suspected it might be something like that. I'm not running Exim on openSUSE but I do on some other servers I manage which is why I was looking at it at all.

    I really like openSUSE and I've been thinking of switching some of my servers over to it and so I was just using this as an example to get some info on how security updates in openSUSE work. It seems to me that security updates in openSUSE are a little slower than other distros. And if I was running Exim on openSUSE, I would be concerned right now. Debian Stretch is probably the closest to Leap in regards to Exim versions used and they already had these patched and released this morning when I first checked it out.

    Obviously, the openSUSE team is working on that too and it's not a huge issue. I just noticed that it almost always seems that openSUSE is one of the last to get these kinds of security updates. That had me wondering why. Is it because of lack of resources, extensive testing, or something else? Or am I totally wrong about this perception?
    Also, I just want to say that there is nothing negative about this post. I'm just curious about the process.
    Hi
    Likely the synergy between Leap and SLE and the reviews by both product teams, now that being said if it's severe/critical I think you will find it turns up a short time after the CVE is made public.... the security team are on it
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  6. #6

    Default Re: 21Nails, and a broader question about security updates in openSUSE

    Thanks so much for the explanation Malcolm! That's what I thought might be going on but wanted to make sure.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •