I sent RedHat a message addressing the issue about how they are releasing older packages with their set of security fixes rather than helping patch the program's CVS so that ALL of the newer versions of the program will be patched. I find that RedHat is in essence pulling a Micro$oft in that they will not share.
I find it kind of iritating that RH just released an update for KDE 3.0.3 instead of releasing 3.0.5 which had the same fixes. Some programs should be tested, but others are already being tested and fixed on a daily basis.
I think that if we all complain about this, that they might modify their policy on security fixes.
-David
Matthew Boeckman wrote:
I'm a little disturbed by something I'm seeing with the way that RH manages RPM security updates. It's almost microsoftian they way they are tending to take weeks or months to address critical security holes.
For example, the recent Apache<1.3.27 shared memory exploit, originally announced Aug 8 2002:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
that RedHat just released updates for today:
http://www.linuxsecurity.com/advisories/redhat_advisory-2659.html
Fully 4 months after the original patch from Apache! I can accept a certain amount of lead time for QA testing and such, but this is not an isolated incident, and I for one am not amenable to running an insecure webserver for 120+ days!
Because of this, I find myself using less and less RPM and more and more source tarball compiles, because I do not feel that RedHat is addressing security concerns in a timely manner.
Am I alone in this feeling? Is RedHat doing anything to speed up that process?
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
