Vulnerable packages

j0k4b0

Hi,

I started a security scan on a fresh installed grammm and got this vulnerable packages (as well as some other security issues):

bind
Kernel
libnettle
patches
qemu
ruby2.5
shim

It was easy to fix. Just login into the console and type:
zypper update

But I think the latest release should not be shipped with vulnerable packages, this is in general really critical. Especially when the product is so easy to install for end users.

I will continue some other security checks. I think I don't have to tell about the unsecure admin-access where you already said, that this will be fixed in the next release.

If you want I can provide a document where I describe how to make the grammm-linux secure in your admin documentation. Just tell me if I should spend time on that.

Thanks.

jengelh

The ISO is already built from openSUSE:Leap:x:Update, and has all the published updates at the time of creation. It is not a bug that the installation of an old ISO leads to, surprise, presence of old software. You get the same effect with http://download.opensuse.org/distribution/leap/15.2/iso/openSUSE-Leap-15.2-DVD-x86_64.iso, an image which has not been changed since its creation either.