[rhn-users] Security Errata not covering all versions of RHEL packages

inode0 inode0 at gmail.com
Wed Apr 2 18:13:34 UTC 2008 

On Wed, Apr 2, 2008 at 11:41 AM, Josh Bressers <bressers at redhat.com> wrote:
>  Hello John,
>
>  The FasTrack channel provides early access to content scheduled for an
>  upcoming minor release of Red Hat Enterprise Linux.  In the case of
>  gnome-screensaver we released an asynchronous update today, prior to 5.2,
>  to fix a moderate severity security issue.  This means that we needed to
>  respin the gnome-screensaver update for 5.2 and repush the FasTrack
>  package so it correctly reflects what will go out in 5.2.
>
>  We did plan on repushing the FasTrack package today, but our Quality
>  Engineering team spotted a regression which required a package rebuild.
>  Updated gnome-screensaver packages will be pushed to FasTrack this
>  week, but it will probably not be today to allow time for proper testing.
>
>  In general if you have any questions about security vulnerabilities and
>  how they affect any Red Hat product or service you can contact Red Hat
>  Support Services or ask the Red Hat Security Response Team directly:
>  http://www.redhat.com/security/team/contact/
>
>  Let me know if you have any additional questions.

Hi Josh,

Thanks so much for the explanation. I'll try to be more patient for
fastrack updates in the future now that I better understand the build
process involved for those.

The Red Hat Security Response Team is in my opinion the crown jewel of
Red Hat support. You do a great job both in terms of providing timely
security fixes and in terms of helping users understand issues that
arise that concern them.

I have in the past sent inquiries to the address indicated above and
received timely and detailed information about those concerns. But for
something this trivial I hate to pester the SRT.

One shortcoming in the security offerings provided by Red Hat is an
easy way to audit for known vulnerabilities in installed packages. The
security plugin is a wonderful addition in this regard but still
doesn't (or perhaps I just don't quite know how to use it yet) cover
the case where there is a known vulnerability but no errata has been
issued (or sometimes will ever be issued) for it.

When a decision is made not to fix security issues in a package I
would really like this to be documented somewhere so users like me can
learn why and understand what I should or shouldn't do as a
consequence of Red Hat's decision. Issuing something like WONTFIX
errata would be something I'd very much like to see. It seems the only
way to get this information now is to contact the Security Response
Team directly and ask.

Thanks,
John

More information about the rhn-users mailing list