Date: Fri, 17 Jun 2011 00:27:06 +0200 From: Tomas Hoger <thoger@...hat.com> To: secalert_us@...cle.com Cc: oss-security@...ts.openwall.com Subject: Re: Closed list On Tue, 17 May 2011 10:43:10 -0700 Oracle Security Alerts wrote: > On 04/30/11 08:26 AM, Solar Designer wrote: > > Does Oracle start to prepare security updates for Oracle Enterprise > > Linux before or after Red Hat releases theirs? If it's after, then > > there's too little need for Oracle to have advance notification. > > If we know about vulnerabilities in advance, our fixing process > starts before Red Hat releases their updates. It starts with > assessment of issue, reviewing the fix for completeness and > applicability to our kernel and components we maintain or provide in > our Linux distribution. See > http://www.oracle.com/us/technologies/linux/026042.htm > or http://oss.oracle.com/ > > We do not expect Red Hat or other vendors to evaluate impact of > security vulnerabilities on Oracle Linux, nor fix it in a way that > is applicable to our releases. Hence the request for subscription. Maybe I'm mis-reading the above statement, but it seems to imply it's not uncommon for you to re-do security patches that were applied to RHEL packages before building them as OEL updates. Do you have any specific examples to point to (on- or off-list), so we can possibly check what mistakes we did? Thank you! -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ