Another nice shout-out for the openSUSE community here: The USENIX association magazine, ;login, has recognized openSUSE as having the same level of protection against some of the recently discovered package management vulnerabilities as enterprise-class distros. Says Federico Lucifredi:

What’s more, the openSUSE and SUSE Linux Enterprise distros not only secure packages and package metadata with cryptographic signatures, but have addressed the more exotic attacks described by the paper as well, with the slow-data fix currently in Factory completing the picture. The upshot of this is that users can deploy updates safely whether they’re obtaining updates from a centralized network or through a decentralized system of community maintained mirrors.

The full article is available as a PDF. Definitely worth a read!

If you’re running Bind on openSUSE or SUSE Linux Enterprise, you want to install the update that was pushed out recently. This was pushed out on opensuse-security-announce (which I’m sure everybody is subscribed to, right? Cause these announcements are very infrequent and fairly important…) but I wanted to mention it here as well…

In case you hadn’t read about it already, there’s a major DNS flaw that leaves DNS implementations vulnerable to cache poisoning (essentially giving the wrong IP address for a domain name, which makes it possible to redirect queries to the wrong host — which opens up a whole slew of possible mischief).

We’ve issued a fix for openSUSE 10.2, 10.3, and 11.0, as well as SLES/SLED 10, and a number of other versions.