We had a big patch day yesterday, installing all current security patches of SuSE. Some guy – who had a security audit report – called and asked about the patch level. I accidentally gave him the openssl version number instead of mod_ssl. Mod_ssl of course is included in the apache2 and doesn’t have a “unique” version scheme.

Of course, SuSE doesn’t change versions with security patches unless absolutely necessary. They’ll backport patches to the current version. A simple comparison of the version numbers is thus not possible. The guy insisted I give him, in writing, a confirmation that the security problem no longer exists.

“Well,” I ask. “Which problem is this exactly?”

Of course I presume that yesterday’s SuSE patches include all the currently known security holes. But can I be sure? No.

“That’s in the report, do you have that?”

I check my email. Actually, I do. The report says, basically, that there is a problem with this version, allowing a DoS situation. Well, that’s pretty generic.

“If you can tell me, what the exact problem is,” I tell the guy, “Then I can find out whether or not it was patched. Alternatively, the guys who made this report are welcome to simply scan again to see if the problem persists.”

He didn’t want to do that, of course. He ends the telephone call by hinting at an escalation (this company’s favorite sport) and promises me: “This will be on your desk again shortly.”

Sure, be my guest. I’ll happily tell him – in writing – that without exact information I can also not give exact answers. And it cannot be my responsibility to second-guess what other people consider security problems on my webservers. They’re patched, and I am confident that they are as secure as reasonable effort allows.

I think I’ll have to go home early today.

Advertisements