On Wed, 2009-08-19 at 11:17 +0100, Dr Andrew C Aitchison wrote:
> >> Has anyone with a TAM with RedHat reported this to them yet?
> > You mean
> >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692, right?
> 
> Is there anyone here with access to the "depends upon bugs"
>    516950 516951 516952 516953 516954 516955 517444 517445
> who can tell us what is taking Red Hat so long ?

Good question. Let's hope they'll come up with something better than
just the one line fix from upstream. Like enforcing vm.mmap_min_addr for
nonzero UIDs before SELinux doesn't.

> I'm very tempted to waste time and roll my own 
> 2.6.18-128.4.1.el5+CVE.2009.2692 jut for my own piece of mind,

We did this, and are rolling it out. No problems yet. Yes, it may be a
waste of time. But then imagine they decide to defer the fix to the
dot-0 kernel coming with 5.4...

> but I see that they have submitted *three* updates for Fedora 11*
> so they may be having problems ...
> 
> *	kernel-2.6.29.6-217.2.7.fc11

I think this is the only one released yet.

>  	kernel-2.6.30.5-28.rc2.fc11
> and	kernel-2.6.30.5-32.fc11

Rebase to 2.6.30 causing other problems?

> [ If I were paying for support from Red Hat I would take a one
>    one month holiday at the end of my current contract as a protest
>    at the delay, unless I knew what was going on.
> ]

Really not into TUV bashing, but: If you were paying for support, you'd
receive a very polite response with pointers to BZ #516949 and KB #18065
when asking for the ETA for a true solution. You'd also learn that this
is a severity 3 (medium) issue.

-- 
Stephan Wiesand
  DESY - DV -
  Platanenallee 6
  15738 Zeuthen, Germany