[rhn-users] Security Errata not covering all versions of RHEL packages

[Josh Bressers]

> I've run across this situation a few times in the past and again this morning.
> 
> https://rhn.redhat.com/errata/RHSA-2008-0197.html was released this
> morning and fixes a security issue in the version of the package in
> the base channel (gnome-screensaver-2.16.1-5.el5_1.1 is the new fixed
> version) but in the fastrack channel there exists version 2.16.1-6
> which does not have an errata at this time.
> 
> The changelog for the fastrack package suggests nothing about this
> errata so I'm again asking for some mechanism to be found whereby
> users who are concerned about security can determine whether a package
> such as this is vulnerable or not. If it is known to be not vulnerable
> please include this information in the released errata.
> 
> And if someone could tell me whether or not it is vulnerable that
> would be swell too for this case.
> 

Hello John,

The FasTrack channel provides early access to content scheduled for an
upcoming minor release of Red Hat Enterprise Linux.  In the case of
gnome-screensaver we released an asynchronous update today, prior to 5.2,
to fix a moderate severity security issue.  This means that we needed to
respin the gnome-screensaver update for 5.2 and repush the FasTrack
package so it correctly reflects what will go out in 5.2.

We did plan on repushing the FasTrack package today, but our Quality
Engineering team spotted a regression which required a package rebuild.
Updated gnome-screensaver packages will be pushed to FasTrack this
week, but it will probably not be today to allow time for proper testing.

In general if you have any questions about security vulnerabilities and
how they affect any Red Hat product or service you can contact Red Hat
Support Services or ask the Red Hat Security Response Team directly:
http://www.redhat.com/security/team/contact/

Let me know if you have any additional questions.

Thanks, Josh
-- 
Josh Bressers // Red hat Security Response Team