"Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5

Kurt Bechstein kurt at uniqsys.com
Wed Apr 5 13:04:23 UTC 2006 

On Tue, 2006-04-04 at 18:39 -0500, David Eisenstein wrote:

> For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6-
> 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently
> published March 22nd, never appeared to make it into the fedora-announce-list
> archives.  But they indeed do appear on the fedoranews.org site, as
> <http://fedoranews.org/cms/node/466> and <http://fedoranews.org/cms/node/468>,
> respectively.  Where did you get those announcements from, Thomas?
> 
> Since I consider fedora-announce-list's archives to be a rather "official"
> repository of what is fixed or updated for Fedora Core, I generally go by the
> rule that whatever's in fedora-announce-list's archives are things that are
> fixed; and if it's not there in the archives, it's not fixed.  Therefore, I,
> too, might have been lead to believe that this sendmail vulnerability remained
> unpatched in Fedora Core.
> 
> Should these announcements be re-published to fedora-announce-list?
> 
> Further, should fedora-announce-list be considered an official repository of
> security and non-security update announcements for Fedora packages?  If not,
> does the Fedora Project need to define such an official repository? -- some
> web location where we can all agree to point end-users to and say, "Here.
> This is where all update announcements will reside, so if there's no
> announcement here about issue xyz, then issue xyz's not been fixed." ??
> 
> 	Warm regards,
> 	David Eisenstein
> 
> ps:  By the way, FYI, Fedora Legacy ran into a number of bugs in our initial
> release of packages that patch the CVE-2006-0058 sendmail issue for three of
> the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3
> packages appeared to be fine on initial release.  The bugs were mostly due to
> the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which
> broke some things.  (See Bugzilla #186277 starting with comments #30 ff. for
> more info....)
> 
> We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack-
> ages that are currently in updates-testing, so updated packages should be
> released soon.  -dde
> 

Just so I'm clear on this one, do these packages fix something different
from the packages referenced on http://fedoranews.org/cms/node/489 ?
They seem to reference the same CVE listing so I just wanted to be sure
before I have to go patching a boat load of servers again.  



-- 
Kurt Bechstein             |  Unique Systems, Inc.
Systems Administrator      |  1687 Woodlands Dr.
Phone:  (419) 861-3331     |  Maumee, OH 43537
Email:  kurt at uniqsys.com   |  http://www.uniqsys.com

More information about the Fedora-security-list mailing list