I'm patched, only because I pay attention to [EMAIL PROTECTED] It would be nice to have security-announce@ be really used. It would't be much effort to send some blurb like: "new patch, check the ftp." That's all that is really required. Can anyone post to [EMAIL PROTECTED] Someone has to step up, and that person ought to be official, lest misc@ and security-announce@ get flooded with frantic screamings of armageddon (or posting is denied to unofficial persons. I don't know the staus on that.)
In all fairness, it was a simple DOS vulnerability. Not too serious. In the case that a root shell exploit is possible, you'll probably hear about it (it will be posted asap.) But speaking of fairness, I would like all patches to be treated the same. We have security-announce, and many people _expect_ it to be used for _every_ patch. Please no cracks about paranoia, I'm running low on tin- foil so my nerves are going bad. "Security patch announcements are sent to the [EMAIL PROTECTED] mailing list." Travers On Fri, 16 Jun 2006 09:47:51 -0700 "Spruell, Darren-Perot" <[EMAIL PROTECTED]> wrote: > For sysadmins that want to know as soon as possible about issues which > are deemed patch-worthy (security vulnerabilities, critical > reliability issues), what is the "best" way to stay on top of these > issues as they are resolved? > > The canonical source of information seems to be errta.html, which does > tend to be updated quickly as the patch becomes available. To keep > track of this, it requires the user to access the page and look for a > new patch which may apply to him. > > One could also monitor commits to CVS and while reliable, it becomes a > bit more difficult to pick the critical from some of the rest of it. > Then, as outlined in release announcements, "Security patch > announcements are sent to the [EMAIL PROTECTED] mailing > list." This method is preferred by a lot of people so they get some > kind of proactive notification of potentially impactive problems. > Patch announcements do make it to the list, some as early as 1 day > after patch announcement, others 14 days after patch. The possible > advantage over errata.html though is you get notified even if you've > lapsed in checking out the web page. On the flip side, this requires a > developer to take time and craft the message and send it, so the onus > is on the project to do the work. > > DS
