Fedora and External Product Vulnerabilities (Bugzilla #185499, RHSA-2006-0268 (Macromedia Flash))
Rahul Sundaram
sundaram at fedoraproject.org
Sat Apr 1 19:27:40 UTC 2006
On Sat, 2006-04-01 at 13:06 -0600, David Eisenstein wrote:
> Hello,
>
> The other week, I sent a notice to fedora-legacy-list and fedora-
> security-list regarding the Macromedia Flash critical vulnerability
> (CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024)
> thinking that, even though it is proprietary and therefore Fedora Core,
> Legacy, & Extras do not distribute it nor provide any support for it, that
> I could tell my friends on both lists about it, since this bug has the
> alleged possibility to run abitrary code remotely and so is critical.
>
> Here's the post:
> <http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00107.html>
>
> Some reservations were expressed to me privately about using our mailing
> list(s) to broadcast such information, after I already sent the thing out.
> Yet I sent it out, because I felt it would be important for folks who
> don't get Red Hat Enterprise Linux's security errata to be aware of the
> issue so they can protect their computers.
You are certainly allowed as a individual to post such warnings to the
list. Just make it explicit that you are posting not on behalf of the
project when it is controversial. Warren Togami for example made a
announcement on the arrangement he had with Macromedia for a flash
repository. That might be better suited for Fedora Legacy users too.
https://www.redhat.com/archives/fedora-announce-list/2006-
March/msg00037.html
> Perhaps this needs more discussion, however. As participating members of
> the Fedora Project team, are there things we should not say on the mailing
> list(s)?
I would say the usual netiquette guidelines such as generally being nice
to each other apply but anything that doesnt fit the ideals of the
project probably shouldnt be promoted in formal capacity.
For this kind of issues such as security vulnerabilities is something
that we need to be responsible about even when we actually dont ship the
applications or support them formally.
Rahul
Ps: No need to cc me. I am on this list as well now.
More information about the Fedora-websites-list
mailing list