On 1/22/25 18:42, Solar Designer wrote:
Hi,
Once in a while, Oracle publishes what they call Critical Patch Update
Once a quarter, per the schedule published on:
https://www.oracle.com/security-alerts/#CriticalPatchUpdates
documents, which list many vulnerabilities addressed across many Oracle
products, some of them Open Source and some not. This is great, but it
would be even better if Oracle also communicated to oss-security about
those vulnerabilities in its Open Source products, perhaps one message
per product (e.g., MySQL separately from VirtualBox). I hope someone
from Oracle reads this and will get the wheels moving. Anyone?
People from Oracle have read this, but it's specifically people from
the Security Alerts team who publish those documents who would need to
do this.
Perhaps there's more Open Source software listed in there, which needs
similar treatment.
The open source packages delivered in Oracle Linux & Oracle Solaris are
listed separately, but these are downstreams, so I've always thought they'd
be off topic here, since we normally only cover upstream issues, and don't
publish every distro's notices that they've applied the latest fixes to
rsync, openssl, glibc, or whatever upstream was fixed this week.
For those who want to see such downstream notices, you can find them at:
Oracle Linux:
https://linux.oracle.com/security/
https://oss.oracle.com/mailman/listinfo/el-errata
https://www.oracle.com/security-alerts/#OLBulletin
Oracle Solaris:
https://www.oracle.com/security-alerts/#SolarisThirdPartyBulletin
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
