Subject: | |
From: | |
Reply To: | |
Date: | Thu, 3 Aug 2006 13:24:02 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 8/3/06, Jan Iven <[log in to unmask]> wrote:
> On Thu, 2006-08-03 at 10:50 +0100, Alan J. Flavell wrote:
> > We had a campus alert about the above-mentioned vulnerability
> > CVE-2006-3747, saying that it was already being exploited in the wild.
> >
..
..
> > But of course RH do not install new versions. Rather, they back-port
> > the fix to the version which came with the RHEL release version, and
> > append a suffix to the RPM name (but not to the server banner).
>
> (yes, we've griped about this but they don't want to change this).
>
Red Hat probably won't change it because it is not in their interest
to. The purpose of the Enterprise Linux is supposed to be a pretty
static distribution that a vendor knows that ABI/API changes should be
minor and only occur in updates. The banks, stock exchanges, etc that
from what I can tell are the primary money pushers have always wanted
that ( remembers a meeting where some Fortune 50 company wanted RHL
4.2 supported til 2007 with only security fixes backported like they
could get from AIX, HP-UX, etc).
I am figuring that the change from Mozilla to Seamonkey must have been
a rankerous debate where a lot of assurances (monetary) had to be
given .
> > It does, however, leave open the more general question of how RH
> > should be informing the world about their response to security
> > advisories which are on the public record, but for which their version
> > has been rated as safe. At the moment they seem to be staying quiet,
> > which may be at least one excuse that I can give for the commotion
> > here.
>
> They preemptively informed their customers that they considered
> themselves (and anybody who compiles their apache using their compilers)
> not to be vulnerable to this particular issue (they'll still fix it as a
> bug). We could still ask them to include a link to their FAQ in the CVE
> entry.. and the more people publically ask for clarification, the more
> likely is that they will consider this.
>
They also gave their information to MITRE so that people who got the
MITRE CVE release would know that RH thought it was not vulnerable due
to XYZ reasons.
> Regards
> jan
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
|
|
|