I'd also seemed to think this information was included (previously), but I guess it's in my head from reading TUV's errata notices. I'd like to second having this information in SL's security advisories. It's just a little bit of extra information that gives me a clue about "should I [really, really] care about getting this update [done asap]." David. On Tue, Sep 30, 2014 at 2:51 PM, Pat Riehecky <[log in to unmask]> wrote: > Historically, SL has not included the more detailed description to try and > cut to the heart of the security issue. Our focus being along the lines of > "since we ship with security errata on by default, here is why this package > is changing". We know everyone is busy and are hoping to get straight to > the point. > > Putting the package background in the message is an interesting idea. We'll > have to ponder it a bit.... > > Thanks for the feedback! > > Pat > > On 09/30/2014 12:37 AM, Andras Horvath wrote: >> >> (Sorry, sent to the wrong list). >> >> Hi, >> >> With all respect for the work, may I ask if there is any possibility to >> include a short description of the package's functionality in the security >> errata report? There was one included in the past as far as I remember. I'd >> find it more than practical to have it because it gives a useful info to >> sysadmins about which are of the system is affected. Which software layer >> etc. >> >> Of course I could run a "yum info", just thought it may be good for >> everyone not having to. >> >> >> Andras >> >> >> On Mon, 29 Sep 2014 21:37:02 +0000 >> Pat Riehecky <[log in to unmask]> wrote: >> >>> Synopsis: Moderate: xerces-j2 security update >>> Advisory ID: SLSA-2014:1319-1 >>> Issue Date: 2014-09-29 >>> CVE Numbers: CVE-2013-4002 >>> -- >>> >>> A resource consumption issue was found in the way Xerces-J handled XML >>> declarations. A remote attacker could use an XML document with a >>> specially >>> crafted declaration using a long pseudo-attribute name that, when parsed >>> by an application using Xerces-J, would cause that application to use an >>> excessive amount of CPU. (CVE-2013-4002) >>> >>> Applications using the Xerces-J must be restarted for this update to take >>> effect. >>> -- >>> >>> SL6 >>> x86_64 >>> xerces-j2-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-debuginfo-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-demo-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-javadoc-other-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.x86_64.rpm >>> xerces-j2-scripts-2.7.1-12.7.el6_5.x86_64.rpm >>> i386 >>> xerces-j2-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-debuginfo-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-demo-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-javadoc-apis-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-javadoc-impl-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-javadoc-other-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-javadoc-xni-2.7.1-12.7.el6_5.i686.rpm >>> xerces-j2-scripts-2.7.1-12.7.el6_5.i686.rpm >>> >>> - Scientific Linux Development Team > > > > -- > Pat Riehecky > > Scientific Linux developer > http://www.scientificlinux.org/