In the notes, it says that “server:mail” already has the patched version which is correct. Is that the resolution on this? Update using that repo? Or are they testing the update with Leap and will push out the patch via the standard updates repo?
This is something that I’ve noticed with openSUSE compared with other distros. The security updates seem to be generally slower than other distros. For example, this has already been patched in Debian, Centos, etc. Basically every other distro already pushed this patch out to their distro.
Are security updates in openSUSE slower than other distros? If so, is that because of the amount of testing that openSUSE does or something else? Or am I just way off base here?
Hi
Likely backporting the fixes to the 4.88 version… the newer version is already submitted to Tumbleweed because that’s how it rolls. The incident has been classed as moderate…
Thanks Malcolm! I suspected it might be something like that. I’m not running Exim on openSUSE but I do on some other servers I manage which is why I was looking at it at all.
I really like openSUSE and I’ve been thinking of switching some of my servers over to it and so I was just using this as an example to get some info on how security updates in openSUSE work. It seems to me that security updates in openSUSE are a little slower than other distros. And if I was running Exim on openSUSE, I would be concerned right now. Debian Stretch is probably the closest to Leap in regards to Exim versions used and they already had these patched and released this morning when I first checked it out.
Obviously, the openSUSE team is working on that too and it’s not a huge issue. I just noticed that it almost always seems that openSUSE is one of the last to get these kinds of security updates. That had me wondering why. Is it because of lack of resources, extensive testing, or something else? Or am I totally wrong about this perception?
Also, I just want to say that there is nothing negative about this post. I’m just curious about the process.
Hi
Likely the synergy between Leap and SLE and the reviews by both product teams, now that being said if it’s severe/critical I think you will find it turns up a short time after the CVE is made public… the security team are on it