'[opensuse-security] Re: [security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:2010:0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    [opensuse-security] Re: [security-announce] SUSE Security Announcement: Linux kernel (SUSE-SA:2010:0
From:       Marcus Meissner <meissner () suse ! de>
Date:       2010-10-28 16:17:42
Message-ID: 20101028161742.GM5902 () suse ! de
[Download RAW message or body]

On Thu, Oct 28, 2010 at 09:37:15AM +0200, Frank Steiner wrote:
> Hi,
> 
> we are quite confused about the current kernel updates from Novell.
> 
> 1) Two weeks ago we got this announcement for SLES 11 SP1:
> 
> Marcus Meissner wrote
> 
> > ______________________________________________________________________________
> > 
> >                         SUSE Security Announcement
> > 
> >         Package:                kernel
> >         Announcement ID:        SUSE-SA:2010:050
> >         Date:                   Wed, 13 Oct 2010 17:00:00 +0000
> >         Affected Products:      SLE 11 SERVER Unsupported Extras
> >                                 SUSE Linux Enterprise High Availability Extension 11 SP1
> >                                 SUSE Linux Enterprise Desktop 11 SP1
> >                                 SUSE Linux Enterprise Server 11 SP1
> >         Vulnerability Type:     local privilege escalation
> >         CVSS v2 Base Score:     7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> >         SUSE Default Package:   yes
> >         Cross-References:       CVE-2010-2954, CVE-2010-2960, CVE-2010-2962
> >                                 CVE-2010-3078, CVE-2010-3079, CVE-2010-3080
> >                                 CVE-2010-3081, CVE-2010-3296, CVE-2010-3297
> >                                 CVE-2010-3298, CVE-2010-3310
> 
> The new kernel packages offered with this announcmente had the version/release 
> kernel-default-2.6.32.23-0.3.1.
> 
> 2) Yesterday there was an announcment from the Novell customer center for
>    SLES 11 SP1:
> 
>    26 Oct 2010 Novell Customer Center 
>    ...
>    11. Security update for the Linux kernel
>    SUSE Linux Enterprise Server 11 for x86-64
>       http://download.novell.com/Download?buildid=XqWyWoma4DM~
> 
>    The link leads to a page with:
>    "the Linux kernel (x86_64) 20100617
>     ...
>     kernel-default-2.6.32.13-0.4.1.x86_64.rpm"
> 
>    Thus, way older than what you announced on Oct. 13th.

> 3) And tonight our yup mirroring of the Novell server downloaded kernel
>    packages with version/release: kernel-default-2.6.32.19-0.2.1
>    which was the current kernel before the release from Oct. 13th.

> I guess the .23 version is still supposed to be the latest one, but 
> what's about the new announcmente from yesterday and all these old
> packages?


We did respool some older SLE11 SP1 patches to include a new
subproduct channel which has triggered this behaviour (adding SLES 4 VMWARE).

Packages inside of the patches were unchanged.

Unfortunately this triggered the automated update notice mechanisms,
but the RPMs themselves should be effectively unchanged.

Is probably the same reason it downloaded kernel-default-2.6.32.19-0.2.1
again.

The last SLE11 SP1 update is still from 2 weeks ago.
 
Ciao, Marcus
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security+help@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic