SUSE Security Data considerations

SUSE provides security data for the CVE issues affecting the SUSE Linux products and the openSUSE distributions.

We provide the data in OVAL, CVRF and CSAF formats under the Creative Commons license.

The security data is generated from released updates, updates in QA, and our security tracking and scoring data. The same data sources are used for all data feeds and the CVE pages.

Granularity

The granularity of the SUSE security data is at source RPM level, meaning the data will show the same status for all generated binary RPMs out of the specific source RPMs.

The affected code is not necessarily in all of the listed binary RPMs.

As a primary example the Linux Kernel security issues would be in the main kernel packages with the vmlinux and .ko files, but not in the kernels -devel, -syms or -docs packages, even though they are referenced.

Similar also for userspace libraries, where the affected code might be only in the main library, but not in the -devel packages that contain only headers and the library.so symbolic links.

We recommend our users to update all binary RPMs regardless as they might have explicit or implicit dependencies on each other.

Refresh schedule

Our security data sets are updated once a day during night time, while the CVE pages are updated multiple times during the working day.

Kernel Livepatches

SUSE fixes important and critical kernel security issues in 2 ways, once per regular update of the kernel packages, but also via so called kernel livepatches that can be loaded into a running kernel. Note for SLES 12 and 15 a separate paid subscription is required, in SLES 16 and SL Micro 6 livepatching is included in the regular subscription.

All released kernels are supported for 13 months with livepatches in our offerings with livepatch support.

So a kernel security issue can be fixed in both ways, which needs to be expressed in evaluation logic for detecting whether a CVE is fixed or not. The OVAL data we supply expresses these relations, but it is not possible to express this in the CVRF or CSAF format at this time.

Userspace livepatches

We also provide userspace livepatches for glibc and openssl libraries at this time, with either a special subscription on SLES 15, or included in SLES 16 and SL Micro 6.
Note that here the livepatch only patches running programs and services selected for livepatching, the regular package update is still required.

So no special handling is needed for userspace livepatches in security detection logic.

Format deprecation

SUSE is deprecating the CVRF format in favor of CSAF. We plan to stop supplying CVRF data after the end of 2026.