-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18-Sep-2002/13:22 -0400, Jason Costomiris <[EMAIL PROTECTED]> wrote: >On Wed, Sep 18, 2002 at 01:14:19PM -0400, Anthony E. Greene wrote: >: Specifically 0.9.6b-28. Earlier 0.9.6b packages (ie; 0.9.6b-24 and >: 0.9.6b-8) may not have the fix for this vulnerability. >: >: I really wish RH would make some kind of explicit announcement about this. > >You mean, like this: > >http://rhn.redhat.com/errata/RHSA-2002-160.html
Not quite. That announcement does not _explicitly_ say that "The vulnerability exploited by the linux.slapper.worm was fixed in [errata RHSA-2002-160 | openssl RPM package 0.9.6b-28]" or something very similar. While it's possible for users to read and understand the implications of RHSA-2002-160, a major incident like this should be specifically addressed by a Red Hat announcement. It does not take an genius to anticipate the number of questions that were bound to be asked in the absence of an explicit statement by the largest Linux vendor in the U.S. market. I went looking for just such an announcement at the RH web site, but ended up at the wrong page. The announcement is posted at: http://www.redhat.com/support/alerts/linux_slapper_worm.html What I would like to have seen is a short statement in the original CERT advisory. CERT advisories are routinely read by thousands of system administrators. They provide a small space for comments by vendors. This CERT advisory <http://www.cert.org/advisories/CA-2002-27.html> contains comments by Apple, Covalent, and Inktomi. The Apple comment is similar to what I would like to have seen from Red Hat: - ----------------------------------------------------------------------- Apple Computer, Inc. The vulnerability described in this report has been addressed by * Security Update 2002-08-23 for Mac OS X 10.2 (Jaguar), and by * Security Update 2002-08-02 for Mac OS X 10.1.5. - ----------------------------------------------------------------------- A similar comment by Red Hat might look like this: - ----------------------------------------------------------------------- Red Hat, Inc. The vulnerability described in this report was addressed by RHSA-2002:160 on 2002-08-05 for Red Hat Linux 6.2, 7.0, 7.1, 7.2, and 7.3. For details see <http://www.redhat.com/support/alerts/linux_slapper_worm.html>. - ------------------------------------------------------------------------ The CERT advisory states that vendor comments are added as they are received. It's a little late now, but it would be nice if RH actually included comments in these types of CERT advisories in the future. Tony - -- Anthony E. Greene <mailto:[EMAIL PROTECTED]> OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: <http://www.pobox.com/~agreene/> Linux: the choice of a GNU Generation. <http://www.linux.org/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Anthony E. Greene 0x6C94239D <[EMAIL PROTECTED]> iD8DBQE9iNTWpCpg3WyUI50RAokDAKDM40o2qOqs3OdXLv/WKa9cuxcUKwCg2BSe BmWq0wzS6RLZoiBz12BSGmM= =pax/ -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
