Security advisories scope

Hi,
We are supporting SLES 11 SP3 LTSS systems and proactively monitor the security update advisories for newly discovered vulnerabilities and fixes. So far we have been filtering the list based on Affected Products but since SP3 went out of general support end of Jan, we are concerned that the we may “miss” some advisories which impact this particular version. In other words, can you confirm that the “Affected Products” list for each advisory is complete and full representation of the scope for the vulnerability in question? For example the recent ntp vulnerability has listed only SLES SP4 as affected product, can we assume than it is NOT applicable for SP3?
Thank you for a swift answer!

Hi xaoc,

[QUOTE=xaoc;32755]Hi,
We are supporting SLES 11 SP3 LTSS systems and proactively monitor the security update advisories for newly discovered vulnerabilities and fixes. So far we have been filtering the list based on Affected Products but since SP3 went out of general support end of Jan, we are concerned that the we may “miss” some advisories which impact this particular version. In other words, can you confirm that the “Affected Products” list for each advisory is complete and full representation of the scope for the vulnerability in question? For example the recent ntp vulnerability has listed only SLES SP4 as affected product, can we assume than it is NOT applicable for SP3?
Thank you for a swift answer![/QUOTE]

as this is a security-related question asking for official statements from SUSE, I suggest you contact your SUSE representative to receive an official reply / statement. The SUSE forums are for user-to-user communications, so any answer you receive here would have no binding effect and no official SUSE representative is monitoring these forums.

Regards,
J.

I believe so, but that is based on a patch from earlier this year. The
page like yours is here:

https://www.suse.com/support/update/announcement/2016/suse-su-20161301-1.html

The page for the specific vulnerability was here, and updated as patches
were released for various SPs/builds of SLE and ImageMagick:

https://www.suse.com/security/cve/CVE-2016-3714.html

Notice that, despite being earlier this year, this has SP2 and SP3 LTSS
included.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…