On Saturday 10 January 2004 15:53, Bernd Bartmann wrote: > What's the difference between "Issue Date" and "Updated on"? If > another update becomes nescessary it should get a new Bugzilla entry. Hrm, probably right. I pulled this content from RH's RSA announcements, not sure how they use the field. Perhaps we'll leave it out for now. > Cross references should also include links to the upstream, CVE, > CERT, Bugtraq, Full-Disclosure, ... announcements Yep, I didn't mean to limit the content to just what was there, it should include anything directly relevant w/out duplicating information. > If a service like sshd or httpd gets an update and the post-install > scripts don't restart the service automatically a note should be > added how to restart the service manually. Yep, that would be near the bottom under "Special Notes:" > The MD5SUMS and file sizes of the rpms HAVE TO BE listed. Absolutely. I forgot a section or 3, let me add them here: 7. Verification: MD5 sum Package Name --------------------------------------------------------------------------- 6f37a0c884be50f702665dd418e7d8a5 7.1/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm 85dabb948243fcd96fed1946217b3259 7.1/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm ba80fcbe3237ece886506446413d6330 7.1/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from https://www.fedoralegacy.org/security/keys.html You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum <filename> 8. References: http://www.securityfocus.com/bid/9154/discussion/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985 9. Contact: The Fedora Legacy security contact is <secalert@xxxxxxxxxxxxxxxx>. More contact details at https://www.fedoralegacy.org/contact > The rpm changelog should be listed. Well, the last couple lines, not the whole thing (; -- Jesse Keating RHCE MCSE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) Mondo DevTeam (www.mondorescue.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating
