[Fwd: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5]
David Eisenstein
deisenst at gtw.net
Tue Apr 4 23:51:06 UTC 2006
Note: I am forwarding this to you all, as you may find these issues relevant.
Main discussion of this will likely happen either on fedora-security-list or
fedora-websites-list.
Warm regards,
David Eisenstein
-------- Original Message --------
Subject: "Official" (security) update announcement repository?
fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5
Date: Tue, 04 Apr 2006 18:39:16 -0500
From: David Eisenstein <deisenst at ...>
To: fedora-security-list at redhat.com, Thomas Chung <tchung at ...>
CC: Ronald Nissley <ronn at ...>
Thomas Chung wrote:
> On 4/4/06, Ronald Nissley <ronn at ...> wrote (to fedora-security-list):
>
>>A security flaw has been found in Sendmail 8.13.5. The flaw is resolved
>>in 8.13.6 or by patching 8.13.5. You can read more at
>>http://www.sendmail.org under Recent News. What is Fedora's response for
>>issues like this? Are users expected to install the patch,
>>compile/install the fixed version, or will Fedora release 8.13.6 rpms
>>shortly?
>Ronald,
>Fedora Project already pushed 8.13.6 for FC5.
>http://fedoranews.org/cms/node/466
For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6-
0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently
published March 22nd, never appeared to make it into the fedora-announce-list
archives. But they indeed do appear on the fedoranews.org site, as
<http://fedoranews.org/cms/node/466> and <http://fedoranews.org/cms/node/468>,
respectively. Where did you get those announcements from, Thomas?
Since I consider fedora-announce-list's archives to be a rather "official"
repository of what is fixed or updated for Fedora Core, I generally go by the
rule that whatever's in fedora-announce-list's archives are things that are
fixed; and if it's not there in the archives, it's not fixed. Therefore, I,
too, might have been lead to believe that this sendmail vulnerability remained
unpatched in Fedora Core.
Should these announcements be re-published to fedora-announce-list?
Further, should fedora-announce-list be considered an official repository of
security and non-security update announcements for Fedora packages? If not,
does the Fedora Project need to define such an official repository? -- some
web location where we can all agree to point end-users to and say, "Here.
This is where all update announcements will reside, so if there's no
announcement here about issue xyz, then issue xyz's not been fixed." ??
Warm regards,
David Eisenstein
ps: By the way, FYI, Fedora Legacy ran into a number of bugs in our initial
release of packages that patch the CVE-2006-0058 sendmail issue for three of
the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3
packages appeared to be fine on initial release. The bugs were mostly due to
the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which
broke some things. (See Bugzilla #186277 starting with comments #30 ff. for
more info....)
We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack-
ages that are currently in updates-testing, so updated packages should be
released soon. -dde
More information about the fedora-legacy-list
mailing list