Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Stakanov-2
Artikel auf Golem.de lesen:

https://glm.io/152105?m

Hmmmm, we got "bad press" (German language) about a security issue. (link
above).
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Marcus Meissner
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
> Artikel auf Golem.de lesen:
>
> https://glm.io/152105?m
>
> Hmmmm, we got "bad press" (German language) about a security issue. (link
> above).

I only now got back mod/admin rights to this list.

We meanwhile have released raptor updates.

If something does not have a CVE, it is quite hard for anyone to track,
so if there are security issues, CVE assignment should be pursued so everyone can handle it:/

Ciao, Marcus
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Bugzilla from marekstopka@gmail.com
It's in German and behind something that seems to be a pay-wall, anybody could do a simple Google Translate for us non-german speakers?
--
Best regards / S pozdravem,
BSc. Mark Stopka, BBA

mobile: +420 704 373 561


On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <[hidden email]> wrote:
On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
> Artikel auf Golem.de lesen:
>
> https://glm.io/152105?m
>
> Hmmmm, we got "bad press" (German language) about a security issue. (link
> above).

I only now got back mod/admin rights to this list.

We meanwhile have released raptor updates.

If something does not have a CVE, it is quite hard for anyone to track,
so if there are security issues, CVE assignment should be pursued so everyone can handle it:/

Ciao, Marcus
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...

_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Marcus Meissner
Hi,

Basically Hanno Boeck reported a serious bug in "libraptor", an RDF reader used by LibreOffice
3 years ago....

It did not get a CVE, and so was not picked up by Linux Distributions.

He actually got one some weeks ago, predisclosed the issue, and then wrote this
article about this experience.

Basically that without CVEs things are not getting fixed...

(He also dissed openSUSE as we were not yet out with the fix at the time of
the article.)

Ciao, Marcus

On Fri, Nov 27, 2020 at 08:02:02AM +0100, Mark Stopka wrote:

> It's in German and behind something that seems to be a pay-wall, anybody
> could do a simple Google Translate for us non-german speakers?
> --
> Best regards / S pozdravem,
> BSc. Mark Stopka, BBA
>
> mobile: +420 704 373 561
>
>
> On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <[hidden email]> wrote:
>
> > On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
> > > Artikel auf Golem.de lesen:
> > >
> > > https://glm.io/152105?m
> > >
> > > Hmmmm, we got "bad press" (German language) about a security issue.
> > (link
> > > above).
> >
> > I only now got back mod/admin rights to this list.
> >
> > We meanwhile have released raptor updates.
> >
> > If something does not have a CVE, it is quite hard for anyone to track,
> > so if there are security issues, CVE assignment should be pursued so
> > everyone can handle it:/
> >
> > Ciao, Marcus
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Bugzilla from marekstopka@gmail.com
Ah, yes, when CVEs are not requested it's a mess, on the other hand some "CVE collectors" request them for things that are hardly a vulnerability, we (global IT community] need better vulnerability disclosure and management processes...
--
Best regards / S pozdravem,
BSc. Mark Stopka, BBA

mobile: +420 704 373 561


On Fri, Nov 27, 2020 at 8:12 AM Marcus Meissner <[hidden email]> wrote:
Hi,

Basically Hanno Boeck reported a serious bug in "libraptor", an RDF reader used by LibreOffice
3 years ago....

It did not get a CVE, and so was not picked up by Linux Distributions.

He actually got one some weeks ago, predisclosed the issue, and then wrote this
article about this experience.

Basically that without CVEs things are not getting fixed...

(He also dissed openSUSE as we were not yet out with the fix at the time of
the article.)

Ciao, Marcus

On Fri, Nov 27, 2020 at 08:02:02AM +0100, Mark Stopka wrote:
> It's in German and behind something that seems to be a pay-wall, anybody
> could do a simple Google Translate for us non-german speakers?
> --
> Best regards / S pozdravem,
> BSc. Mark Stopka, BBA
>
> mobile: +420 704 373 561
>
>
> On Mon, Nov 23, 2020 at 6:04 PM Marcus Meissner <[hidden email]> wrote:
>
> > On Fri, Nov 13, 2020 at 04:54:41PM +0100, Stakanov wrote:
> > > Artikel auf Golem.de lesen:
> > >
> > > https://glm.io/152105?m
> > >
> > > Hmmmm, we got "bad press" (German language) about a security issue.
> > (link
> > > above).
> >
> > I only now got back mod/admin rights to this list.
> >
> > We meanwhile have released raptor updates.
> >
> > If something does not have a CVE, it is quite hard for anyone to track,
> > so if there are security issues, CVE assignment should be pursued so
> > everyone can handle it:/
> >
> > Ciao, Marcus

_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Lothar Kimmeringer
In reply to this post by Marcus Meissner


Am 27.11.2020 um 08:12 schrieb Marcus Meissner:
> (He also dissed openSUSE as we were not yet out with the fix at the time of
> the article.)

I wouldn't call it being dissed. He just listed the distros and mentioned
that there wasn't a fix at the time of writing the article.

But while we're at it. Are older releases of openSUSE not affected? I've
only found security announces for that fix for openSUSE 15.1 while e.g.
Ubuntu's list of patches goes back to Ubuntu 16.04.


Cheers, Lothar
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Stakanov-2
In data venerdì 27 novembre 2020 08:44:49 CET, Lothar Kimmeringer ha scritto:
> Am 27.11.2020 um 08:12 schrieb Marcus Meissner:
>
> > (He also dissed openSUSE as we were not yet out with the fix at the time
> > of
 the article.)

>
>
> I wouldn't call it being dissed. He just listed the distros and mentioned
> that there wasn't a fix at the time of writing the article.
>
> But while we're at it. Are older releases of openSUSE not affected? I've
> only found security announces for that fix for openSUSE 15.1 while e.g.
> Ubuntu's list of patches goes back to Ubuntu 16.04.
>
>
> Cheers, Lothar
> _______________________________________________
It was the only distribution singled out for "not having a fix even now". So I
call that bad press.
Patches AFAIK are only release to products that are not EOL.
I do not expect security relevant fixes to be released for e.g. 42.3 and to be
honest, if we would be already in February 2021 I would not expect such a
patch to be provided to 15.1 either...  
_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...
Reply | Threaded
Open this post in threaded view
|

Re: Linux-Distributionen: Warum ein Sicherheitsfix drei Jahre nicht ankam

Carlos E. R.-2
In reply to this post by Bugzilla from marekstopka@gmail.com
On 27/11/2020 08.02, Mark Stopka wrote:
> It's in German and behind something that seems to be a pay-wall, anybody
> could do a simple Google Translate for us non-german speakers?

You can use <https://www.deepl.com/translator> to translate some
languages at much better quality than Google Translate. Unfortunately it
does not translate web pages, you have to copy-paste the text.

--
Cheers / Saludos,

                Carlos E. R.
                (from 15.1 x86_64 at Telcontar)

_______________________________________________
openSUSE Security mailing list -- [hidden email]
To unsubscribe, email [hidden email]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security@...

OpenPGP_0xB533181C6D8D47D5.asc (4K) Download Attachment
OpenPGP_signature (209 bytes) Download Attachment