What is the SUSE Linux Enterprise Update Policy?
This document (7014858) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server 8
Situation
- SUSE update policies
- Security issue
- Non-security issue
- Long term Service Pack support
Resolution
Of utmost concern is that SUSE's customers' systems function as intended -- securely and reliably. Updates for SUSE Linux Enterprise, delivered by SUSE, are the primary vehicle for ensuring system performance, security and reliability, during a customer's subscription period. Updates help reduce the risk of failure from regressions, data corruption and data loss.
SUSE's update policies can differ, depending on whether or not a potential issue is a security issue or a non-security issue. They can also vary depending on whether or not a customer is entitled to Long term Service Pack support.
For Security Issues:
SUSE categorizes security issues into two types -- VUL-0 and VUL-1:
- VUL-0: This is an issue that requires immediate attention
- A possible attacker can exploit the given vulnerability directly in a default or common configuration, in a scenario that is both possible and likely to occur at a customer's site.
- The vulnerability can be used to execute code or cause a Denial of Service with impact
- VUL-1: This is an issue that can be fixed with an update at a later time.
- A vulnerability where exploitability is highly unlikely or even impossible
- An information leak that alone does not lead to a vulnerability
- The issue does not involve a widely used package
- SUSE's Security Team prioritizes and begins working on VUL-0 issues immediately, while VUL-1 issues are placed on the planned update list to be consolidated together with later updates. However, the final decision rests with the assigned incident coordinator.
- All fixes are provided only on the latest package versions available via the update repos and not on intermediate versions.
- Critical (Urgent): This type of vulnerability can be used to execute arbitrary code remotely without prior authentication (or with authentication if anyone can obtain this authentication) and can either be used for worm activities or to take over control of the system.
- Important (High): This type of vulnerability can be used to execute arbitrary code in other contexts that are likely or possibly allows in some common product scenarios to escalate the attacker's privileges on the customer system.
- Moderate: This type of vulnerability is a denial-of-service issue only
- Low: This is a VUL-1 only type of issue, where the overall severity or likelihood of this flaw being exploited is very unlikely.
SUSE's Maintenance Team also starts working immediately on updates for issues upon getting knowledge and verifying that it is a qualifying maintenance update, according to SUSE's Maintenance Policy. Potential non-security issues that are deemed a high priority include:
- Loss of customer data or corruption of customer data in an extremely unlikely configuration
- Severe memory leaks, in a default or likely configuration of the product
- Regressions introduced by a previous security or recommended non-security update (not optional or feature updates)
- Regressions introduced by the release of a current Service Pack in functionality that was already available and supported in previous Service Packs of the same code stream.
- Fixes for visible major defects in advertised or main product features
- Critical: The issue causes a loss or corruption of customer data, in likely or default configurations (e.g. data integrity issues), or the issue is a fatal condition introduced by a previous update or service pack (example: systems or services don't start up anymore) that cannot easily be worked around.
- Important: The issue includes any crash or fatal and frequent malfunction that can happen in likely configurations and that could result in major loss of functionality for multiple customers (Example: Service daemon crashes regularly or irregularly and needs to be manually restarted by the administrator). Also classified as important are, a mass PTFs that are requested by NTS or issues escalated by NTS as important.
- Moderate: Issue involves functionality that is frequently used by customers and is affected, but not fatally affected (e.g. it works at least for one kind of scenario). Possible indicators might include:
- More than one bug report that refers to the same issue
- More than one PTF issued for the same underlying problem to multiple customers
- Many NTS Service Requests that refer to the same bug report
- Low: These are customer reported issues that involve a core set of product packages where more than a single customer is expected to benefit from a fix.
Upon the expiration of a Service Pack's general maintenance period (excluding SUSE Linux Enterprise 10 GA and 11 GA), customers have the option to subscribe to Long Term Service Pack Support. This offering proactively delivers a limited number of critical updates (mission critical fixes only) for the customer to keep their systems running and reduce the risk of regressions. Excluded from these updates are non-security and non-L3 fixes. Below are some policy definitions.
Non-Security issues:
- Generally: Not included
- Reactive only:
- Severe data corruption and data loss
- While in Extended Support Phase: Only if triggered by or affecting workloads already deployed during General Support Phase
- Known exploitable arbitrary remote root code execution
- Critical security vulnerabilities
- Direct local privilege escalations to root with proven exploitability
- Endangering network integrity (e.g. Bind, Quagga, etc.)
- Reactive only:
- Remote denial of service
- Internet triggered client (mail/web/...) non-root code execution
- Only in General Support Phase: Internet triggered client (mail/web/...) denial of service
- Only in General Support Phase: Local denial of service
- Only in General Support Phase: Updates for packages that are not on the extended exclusion list (e.g. all packages that require a 3rd party support or maintenance contract, like Java, MySQL, etc.)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7014858
- Creation Date: 07-Apr-2014
- Modified Date:13-Jan-2023
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com