Hello Mathew, After more or less hi-jacking your thread (sorry about that) I guess I'm coming slowly to the conclusion that the source tarball may be the surest way to know that you are, and keep, up-to-date.
Thanks for bringing it up, it's been very instructive for me. Regards, Mike Klinke On Friday 13 December 2002 15:10, Matthew Boeckman wrote: > I'm a little disturbed by something I'm seeing with the way that RH > manages RPM security updates. It's almost microsoftian they way they are > tending to take weeks or months to address critical security holes. > > For example, the recent Apache<1.3.27 shared memory exploit, originally > announced Aug 8 2002: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 > > that RedHat just released updates for today: > http://www.linuxsecurity.com/advisories/redhat_advisory-2659.html > > Fully 4 months after the original patch from Apache! I can accept a > certain amount of lead time for QA testing and such, but this is not an > isolated incident, and I for one am not amenable to running an insecure > webserver for 120+ days! > > Because of this, I find myself using less and less RPM and more and more > source tarball compiles, because I do not feel that RedHat is addressing > security concerns in a timely manner. > > Am I alone in this feeling? Is RedHat doing anything to speed up that > process? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
