Security updates listed affected products and backports

In security update announcement SUSE-SU-2024:0769-1 openSUSE Leap 15.3 is listed as an affected product and a patch is supplied, despite this version being end of life.

I have also seen other cases were (more expectedly) this is not the case, e.g. SUSE-SU-2024:0058-1 were e.g. Leap 15.4 was actually affected.

  • Is there any particular condition for the first fix being backported to an EOL version?
  • Are EOL products ever listed as affected, but without a fix being backported? This would still be useful information, but I guess increase the workload of the SUSE security team.

I think this is done automatically by the OBS.

So if the Distribution is not deleted from the Build, the OBS will generate an rpm or patch automatically.
But I think many rpms or patches do not build anymore for the “old” Distributions and so they are not delivered anymore.

Also the SUSE Linux Enterprise Server 15 SP3 is maintained up to December 2025:

1 Like

I also think this is a lack of cleaning up of a list somewhere.

In any case, it should not lure you into the idea that these old versions are still maintained secure.

1 Like

Thank you guys for your very fast and kind replies!

Re-reading my question I understand it sounds like I’m trying to figure out if it secure to stay on an EOL version, and just to clarify, I do not.

Just trying to figure out how the process works, what gets pick up as a “affected product” and how, and how an EOL product could get a unexpected backport like that.