Note: I am forwarding this to you all, as you may find these issues relevant. Main discussion of this will likely happen either on fedora-security-list or fedora-websites-list. Warm regards, David Eisenstein -------- Original Message -------- Subject: "Official" (security) update announcement repository? fedora-announce-list? Re: Flaw discovered in Sendmail 8.13.5 Date: Tue, 04 Apr 2006 18:39:16 -0500 From: David Eisenstein <deisenst@...> To: fedora-security-list@xxxxxxxxxx, Thomas Chung <tchung@...> CC: Ronald Nissley <ronn@...> Thomas Chung wrote: > On 4/4/06, Ronald Nissley <ronn@...> wrote (to fedora-security-list): > >>A security flaw has been found in Sendmail 8.13.5. The flaw is resolved >>in 8.13.6 or by patching 8.13.5. You can read more at >>http://www.sendmail.org under Recent News. What is Fedora's response for >>issues like this? Are users expected to install the patch, >>compile/install the fixed version, or will Fedora release 8.13.6 rpms >>shortly? >Ronald, >Fedora Project already pushed 8.13.6 for FC5. >http://fedoranews.org/cms/node/466 For some reason, the announcements 'FEDORA-2006-193' for sendmail-8.13.6- 0.FC5.1 and 'FEDORA-2006-194' for sendmail-8.13.6-0.FC4.1, both apparently published March 22nd, never appeared to make it into the fedora-announce-list archives. But they indeed do appear on the fedoranews.org site, as <http://fedoranews.org/cms/node/466> and <http://fedoranews.org/cms/node/468>, respectively. Where did you get those announcements from, Thomas? Since I consider fedora-announce-list's archives to be a rather "official" repository of what is fixed or updated for Fedora Core, I generally go by the rule that whatever's in fedora-announce-list's archives are things that are fixed; and if it's not there in the archives, it's not fixed. Therefore, I, too, might have been lead to believe that this sendmail vulnerability remained unpatched in Fedora Core. Should these announcements be re-published to fedora-announce-list? Further, should fedora-announce-list be considered an official repository of security and non-security update announcements for Fedora packages? If not, does the Fedora Project need to define such an official repository? -- some web location where we can all agree to point end-users to and say, "Here. This is where all update announcements will reside, so if there's no announcement here about issue xyz, then issue xyz's not been fixed." ?? Warm regards, David Eisenstein ps: By the way, FYI, Fedora Legacy ran into a number of bugs in our initial release of packages that patch the CVE-2006-0058 sendmail issue for three of the five distributions we work with, RHL 7.3, RHL 9, and FC1; the FC2 and FC3 packages appeared to be fine on initial release. The bugs were mostly due to the fact that we had to *upgrade* older sendmail's to sendmail-8.12.11, which broke some things. (See Bugzilla #186277 starting with comments #30 ff. for more info....) We have just today finished our QA process on the RHL 7.3, RHL9, and FC1 pack- ages that are currently in updates-testing, so updated packages should be released soon. -dde