[rhn-users] Security Errata not covering all versions of RHEL packages
Josh Bressers
bressers at redhat.com
Wed Apr 9 11:18:39 UTC 2008
>
> I'm not really seeing how this is useful to me in general. For example, consider
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0005
>
> While we get a hit there is no comment about RHEL versions of httpd
> and I'm denied access to bz entries depending on this one.
This is true. We don't make this terribly clear. I shall see what I can
do to clear that up in the near future.
>
> Asking the customer to wade through 5 errata, notice that some
> installed package wasn't covered by any of them, visit bugzilla and
> NVD, throw up his hands and send you email is I think asking too much
> from the customer.
It's not ideal, I agree. I was just pointing out that there are a handful
of places one could get this information. As always, just mail
secalert at redhat.com with your question. It's easy and we'll get back to
you promptly.
>
> If Red Hat chooses to leave some package unpatched, for reasons that
> may be justifiable (incredibly low risk, not exploitable in default or
> common configurations, etc.) I think Red Hat has an obligation to make
> that decision known to customers using the affected packages - well,
> really all customers. We might not be running them in a way that fits
> your assumptions and we should be aware of the risk. The customer
> should not need to recognize the danger and ask you, the customer
> should be informed by you when you make such decisions (in my
> dreamworld at least).
>
> I really can't see why delivering a notification of this sort is any
> harder than delivering an errata to me, unless the reason isn't
> technical.
>
We will take this into consideration. It's never really occurred to us
honestly. We put a great deal of effort into fixing everything and
anything that poses an imminent risk to our customers. It's the opinion of
the Security Response Team that a great deal of our added value is that
customers don't have to worry about every little security thing that comes
along since we handle them.
Thank you for your feedback, it's most appreciated.
--
Josh Bressers // Red Hat Security Response Team
More information about the rhn-users
mailing list