Why does it take so long for new (gimp, kernels, openoffice) packages to reach the stable repo ?

Rick Stevens ricks at nerd.com
Fri Oct 17 23:58:25 UTC 2008 

Kevin Kofler wrote:
> Rick Stevens <ricks <at> nerd.com> writes:
>> you really need to run 0.9.8h or 0.9.8i because of security issues.
> 
> No you don't. The only security advisory released after 0.9.8g is this:
> http://www.openssl.org/news/secadv_20080528.txt
> (There's another one on their site, but that's for openssl-fips, not openssl 
> itself. That's a separate tarball which is not shipped in Fedora at all.)
> The security issues this fixes are CVE-2008-0891 and CVE-2008-1672. They are 
> fixed for Fedora 9 in openssl-0.9.8g-9.fc9:
> https://www.redhat.com/archives/fedora-package-announce/2008-May/msg01029.html
> The old versions of OpenSSL in Fedora 8 are not affected by either of those 
> vulnerabilities (they were both introduced only in 0.9.8f), that's why no 
> security update for Fedora 8 or RHEL/CentOS has been issued.
> 
> Don't believe the version numbers alone. Red Hat often backports security 
> fixes, especially for RHEL, but also for Fedora in cases like OpenSSL where 
> every new version is incompatible with the previous ones. You can trust the Red 
> Hat and Fedora security teams to know what they are doing and to issue security 
> updates where appropriate.

I'm aware of that, but the people who do the penetration testing squawk
anything that's less than 0.9.8h.  Technically it's a false positive,
but it is still in the reports and we have to prove that it's a false
positive each time.  I know what the vulnerabilities are and I've had
discussions with the pentest people, but they won't budge.

Anyway, that's wide of the discussion here.  I was just trying to show
why it takes a while for new versions of things to get stuffed into the
update cycle and one example of how (and why) I have to go around it.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- "People tell me I look at the dark side.  That's not true.  I have -
-   the heart of a small boy......in a jar right here on my desk."   -
-                                                    -- Stephen King -
----------------------------------------------------------------------

More information about the users mailing list