Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash))

David Eisenstein deisenst at gtw.net
Sat Apr 1 19:06:14 UTC 2006 

Hello,

The other week, I sent a notice to fedora-legacy-list and fedora-
security-list regarding the Macromedia Flash critical vulnerability 
(CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024)
thinking that, even though it is proprietary and therefore Fedora Core,
Legacy, & Extras do not distribute it nor provide any support for it, that
I could tell my friends on both lists about it, since this bug has the
alleged possibility to run abitrary code remotely and so is critical.

Here's the post:
<http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00107.html>

Some reservations were expressed to me privately about using our mailing
list(s) to broadcast such information, after I already sent the thing out.  
Yet I sent it out, because I felt it would be important for folks who
don't get Red Hat Enterprise Linux's security errata to be aware of the
issue so they can protect their computers.

Perhaps this needs more discussion, however.  As participating members of
the Fedora Project team, are there things we should not say on the mailing
list(s)?  I keep reading things about the wiki, for example, that say we
mustn't talk (at least on Fedora's official web-pages) about things that
aren't "pure" open-source or that violate some standard of open-
sourciness; nor should we use the wiki resource to point to outside
resources that may have (Linux) software that is proprietary or use
features that in some of many jurisdictions might violate patents or other
intellectual property laws.

If that is so (and it's unclear to me exactly what those boundaries should
be), it is unclear to me whether the instance of the buggy Flash player is
one of those "no-nos" to talk about on Fedora mailing lists or wiki pages.

I would have liked to suggest that someone who is a member of <fedora-list@
redhat.com> make a post there about this issue like that which I posted to
fedora-legacy-list and fedora-security-list, to help inform more of the
Fedora community about this critical bug.  But I am not sure now that sug-
gesting or doing that is appropriate?

Can any of you offer any insight into this?  Thank you.

    Thanks and Regards,
    David Eisenstein

More information about the Fedora-security-list mailing list