> To be fair, even if you go the the Redhat site, and login to support, is > there any easy way to tell if a particular CVE is addressed in a given > patch? I know you can search the change logs and Redhat Advisories but > it sure seems that it's difficult to go from a CVE to a RHSA, although > it's quite easy to go the other way. It would be nice if there was a > well maintained web page that cross-referenced CVE's to RHSA's so that > it would be easy to answer audit "findings".
RH's security team publishes useful metrics (including CVE/RHSA mappings) regarding security issues at http://www.redhat.com/security/data/metrics/ - I find the Vulnerability Statements are especially useful when you're trying to work out why Red Hat hasn't issued a RHSA for a given CVE. Also, though I've had no cause to contact them myself, I'm told the security team are extremely responsive to email (see http://www.redhat.com/security/team/contact/). _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
