[rhn-users] Security Errata not covering all versions of RHEL packages

Josh Bressers bressers at redhat.com
Wed Apr 2 18:52:10 UTC 2008


> 
> Thanks so much for the explanation. I'll try to be more patient for
> fastrack updates in the future now that I better understand the build
> process involved for those.
> 
> The Red Hat Security Response Team is in my opinion the crown jewel of
> Red Hat support. You do a great job both in terms of providing timely
> security fixes and in terms of helping users understand issues that
> arise that concern them.

Thank you!  We're always glad to receive feedback, especially positive
feedback.

> 
> I have in the past sent inquiries to the address indicated above and
> received timely and detailed information about those concerns. But for
> something this trivial I hate to pester the SRT.

This certainly wouldn't have been a problem.  We're happy to answer all
inquiries.  None are too big or too small.

> 
> One shortcoming in the security offerings provided by Red Hat is an
> easy way to audit for known vulnerabilities in installed packages. The
> security plugin is a wonderful addition in this regard but still
> doesn't (or perhaps I just don't quite know how to use it yet) cover
> the case where there is a known vulnerability but no errata has been
> issued (or sometimes will ever be issued) for it.
> 
> When a decision is made not to fix security issues in a package I
> would really like this to be documented somewhere so users like me can
> learn why and understand what I should or shouldn't do as a
> consequence of Red Hat's decision. Issuing something like WONTFIX
> errata would be something I'd very much like to see. It seems the only
> way to get this information now is to contact the Security Response
> Team directly and ask.
> 

This information is currently captured via bugzilla and NVD.  We are
working on a better solution, but for the moment, you have to know how the
process works to get your answers.  As always, you can mail the Security
Response Team with questions.

We track all public CVE ids via bugzilla, assigning the CVE id to the bug
alias.  This means for example that if you wanted information regarding
CVE-2008-0887, you could issue this query:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0887

We tend not to include CVE ids for issues that don't affect Red Hat
products in bugzilla, so we issue NVD statements for that purpose.  For
example, there was recently a GnuPG flaw that did not affect Red Hat
Enterprise Linux (See the Vendor Statements section):
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1530

Thanks again.
-- 
Josh Bressers // Red Hat Security Response Team




More information about the rhn-users mailing list