On 04/25/2014 10:27 AM, olli hauer wrote:
> On 2014-04-25 15:25, Pat Riehecky wrote:
>> On 04/24/2014 04:21 PM, Orion Poplawski wrote:
>>> On 10/17/2013 02:27 PM, Connie Sieh wrote:
>>>> ---------- Forwarded message ----------
>>>> Date: Thu, 17 Oct 2013 15:25:39 -0500
>>>> From: Connie Sieh <[log in to unmask]>
>>>> To: [log in to unmask]
>>>> Subject: Software Collections 1.0 is available  for SL 6
>>>>
>>>> The following TUV "software collection" products are now available for SL 6.
>>>>
>>>> A README with info about yum repos for these packages is available from
>>>> ftp://sldist.fnal.gov/linux/scientific/6x/external_products/softwarecollecti
>>>> ons/README
>>> Any chance of yum-conf-softwarecollections ending up in the main SL repos?
>>>
>>>
>> That's an interesting idea.  Lets take it to the devel list and see what people think.
> @me not subscribed to the devel@ list so giving my rant here.
>
> The versions provided in softwarecollections have almost already known vulnerabilities.
>
> Picking only the latest CVE entires retrieved after softwarecollections publish date.
>
> php-5.4: CVE-2013-6420
> postgresql: CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
> python27 / python33: CVE-2014-1912
> ruby193: CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2013-6416 CVE-2013-6417
>
> Until the collection gets more notice from upstream I don't think it is a good idea to provide yum-conf-softwarecollection.
>

Yikes!

Any one report these CVEs to upstream to make sure they didn't get 
misplaced?

Pat

-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/