On Tue, 2006-04-04 at 18:39 -0500, David Eisenstein wrote: > For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6- > 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently > published March 22nd, never appeared to make it into the fedora-announce-list > archives. But they indeed do appear on the fedoranews.org site, as > <http://fedoranews.org/cms/node/466> and <http://fedoranews.org/cms/node/468>, > respectively. Where did you get those announcements from, Thomas? > > Since I consider fedora-announce-list's archives to be a rather "official" > repository of what is fixed or updated for Fedora Core, I generally go by the > rule that whatever's in fedora-announce-list's archives are things that are > fixed; and if it's not there in the archives, it's not fixed. Therefore, I, > too, might have been lead to believe that this sendmail vulnerability remained > unpatched in Fedora Core. > > Should these announcements be re-published to fedora-announce-list? > > Further, should fedora-announce-list be considered an official repository of > security and non-security update announcements for Fedora packages? If not, > does the Fedora Project need to define such an official repository? -- some > web location where we can all agree to point end-users to and say, "Here. > This is where all update announcements will reside, so if there's no > announcement here about issue xyz, then issue xyz's not been fixed." ?? > > Warm regards, > David Eisenstein > > ps: By the way, FYI, Fedora Legacy ran into a number of bugs in our initial > release of packages that patch the CVE-2006-0058 sendmail issue for three of > the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3 > packages appeared to be fine on initial release. The bugs were mostly due to > the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which > broke some things. (See Bugzilla #186277 starting with comments #30 ff. for > more info....) > > We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack- > ages that are currently in updates-testing, so updated packages should be > released soon. -dde > Just so I'm clear on this one, do these packages fix something different from the packages referenced on http://fedoranews.org/cms/node/489 ? They seem to reference the same CVE listing so I just wanted to be sure before I have to go patching a boat load of servers again. -- Kurt Bechstein | Unique Systems, Inc. Systems Administrator | 1687 Woodlands Dr. Phone: (419) 861-3331 | Maumee, OH 43537 Email: kurt@xxxxxxxxxxx | http://www.uniqsys.com
