On Fri, 13 Dec 2002, Matthew Boeckman wrote: > I'm a little disturbed by something I'm seeing with the way that RH > manages RPM security updates. It's almost microsoftian they way they are > tending to take weeks or months to address critical security holes. > > For example, the recent Apache<1.3.27 shared memory exploit, originally > announced Aug 8 2002: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 > > that RedHat just released updates for today: > http://www.linuxsecurity.com/advisories/redhat_advisory-2659.html > > Fully 4 months after the original patch from Apache! I can accept a > certain amount of lead time for QA testing and such, but this is not an > isolated incident, and I for one am not amenable to running an insecure > webserver for 120+ days! > > Because of this, I find myself using less and less RPM and more and more > source tarball compiles, because I do not feel that RedHat is addressing > security concerns in a timely manner. > > Am I alone in this feeling? Is RedHat doing anything to speed up that > process?
Are you sure that they're not addresing the issues? *My* understanding is that, in most cases, the security patches are applied to the version of the app currently being distributed by RH. This was certainly true with regard to the OpenSSH bugs, and I'm fairly sure that philosophy is true with Apache...there were a number of updates released for it, over the last few months. -- Mike Burger http://www.bubbanfriends.org Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
