Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jun 2011 00:27:06 +0200
From: Tomas Hoger <thoger@...hat.com>
To: secalert_us@...cle.com
Cc: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Tue, 17 May 2011 10:43:10 -0700 Oracle Security Alerts wrote:

> On 04/30/11 08:26 AM, Solar Designer wrote:
> > Does Oracle start to prepare security updates for Oracle Enterprise
> > Linux before or after Red Hat releases theirs?  If it's after, then
> > there's too little need for Oracle to have advance notification.
> 
> If we know about vulnerabilities in advance, our fixing process
> starts before Red Hat releases their updates. It starts with
> assessment of issue, reviewing the fix for completeness and
> applicability to our kernel and components we maintain or provide in
> our Linux distribution. See
> http://www.oracle.com/us/technologies/linux/026042.htm
> or http://oss.oracle.com/
> 
> We do not expect Red Hat or other vendors to evaluate impact of
> security vulnerabilities on Oracle Linux, nor fix it in a way that
> is applicable to our releases. Hence the request for subscription.

Maybe I'm mis-reading the above statement, but it seems to imply it's
not uncommon for you to re-do security patches that were applied to
RHEL packages before building them as OEL updates.  Do you have any
specific examples to point to (on- or off-list), so we can possibly
check what mistakes we did?

Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ