SuSE Fixes Bugs, Defends New Update Policy

Novell releases numerous fixes to bugs that could compromise its SuSE Linux line and defends its new policy of issuing noncritical patch notices on a weekly basis.

Novell Inc. released to its SuSE Linux line on Friday numerous fixes to bugs that could enable a number of types of attacks, including DoS.

The new set of patches fixes a variety of problems that can be exploited to cause denial-of-service, spoofing and cross-site scripting attacks, as well as to disclose sensitive information or compromise unpatched systems. The programs affected by the fixes include older versions of SuSE Linux, Desktop and SuSE Server Linux and the newest server operating system, SuSE Enterprise Linux 9.

Most of the flaws are not problems with SuSEs operating system per se, but with bundled programs, like CUPS (Common Unix Printing System), the Sun Java Plug-in and the KDE windows manager.

With this release, Novells SuSE Linux division has started a new approach to releasing bug fixes. According to Marcus Meissner, a member of the SuSE Security Team, "To avoid spamming lists with advisories for every small incident, we will release weekly summary advisories for issues where we have released updates without a full advisory."

The fixes are currently available from SuSEs FTP servers and via the YaST Online Update program.

According to reports, however, security firm Secunia is taking exception to this new weekly announcement policy. "SuSE started a new policy of bundling their updates, so that creates some confusion over what is highly critical and needs to be addressed first," said Thomas Kristensen, Secunias chief technology officer.

The difference, he explained, between SuSEs patch policy and that of Microsoft—which issues patches on a monthly schedule—is that Microsoft issues patches for only one main program, whereas SuSEs patches are for multiple programs.

Novell/SuSE doesnt see it that way.

"We are not aware of any customer confusion in the way our patches are released," said Jasmin Ul-Haque, Novells corporate spokesperson. "Patches continue to be released without delay as soon as they have been approved by our quality assurance team, and our customers receive a timely notice of this via e-mail; this process has not changed at all."

What has changed, Ul-Haque said, "is the method of how we advise our customers of which patches have been released."

"We still send out advisory e-mails for all important issues as soon as the patches have been approved and released. But for all noncritical issues, these patches are now collected in an e-mail, which is released once a week in order to streamline the volume of messages that our customers get and to help them differentiate between important and noncritical issues," Ul-Haque said.


Check out eWEEK.coms for the latest open-source news, reviews and analysis.