[Gllug] [Fwd: SSH Security Advisory: Centos (and other distros)]

Daniel P. Berrange dan at berrange.com
Wed Jul 8 10:00:11 UTC 2009 

On Wed, Jul 08, 2009 at 08:32:08AM +0100, Andy Millar wrote:
> On Wed, 2009-07-08 at 08:23 +0100, Jon Fautley wrote:
> > 
> > So you've got an email from someone asking you to go and install some
> > "random" SSH RPMs from a non-vendor site, because of a security hole
> > they're not disclosing (or, in fact, confirming)?
> 
> Given that we have Red Hat Employees people on this list, can anyone
> from Red Hat actually confirm or deny that this is an issue.

You can't really expect random Red Hat employees to contribute
official answers to this kind of rumour, even if they knew something 
of interest, which they almost certainly don't. As an employee, 
you have *zero* extra knowledge of security issues before they are
published unless it is a package that you are the maintainer of. 
This is how it should be. Security issues are handled on a "need to
know" basis, responses coordinated between all vendors' security 
teams.

I can say though, that anyone who discovers, or has questions about
possible security problems in Red Hat products should direct  them 
to the Red Hat security team:

     http://www.redhat.com/security/team/contact/

[quote]
  What you should use secalert at redhat.com for:

    * If you have found a security vulnerability with a
      Red Hat product or service
    * If you are unsure about how a known vulnerability
      affects a Red Hat product or service

  Email communications sent to secalert at redhat.com will be 
  read and acknowledged with a non-automated response 
  within 3 working days.
[/quote]

Regards,
Daniel
-- 
|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list