On Wed, 2009-08-19 at 11:17 +0100, Dr Andrew C Aitchison wrote: > >> Has anyone with a TAM with RedHat reported this to them yet? > > You mean > >> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692, right? > > Is there anyone here with access to the "depends upon bugs" > 516950 516951 516952 516953 516954 516955 517444 517445 > who can tell us what is taking Red Hat so long ?
Good question. Let's hope they'll come up with something better than just the one line fix from upstream. Like enforcing vm.mmap_min_addr for nonzero UIDs before SELinux doesn't. > I'm very tempted to waste time and roll my own > 2.6.18-128.4.1.el5+CVE.2009.2692 jut for my own piece of mind, We did this, and are rolling it out. No problems yet. Yes, it may be a waste of time. But then imagine they decide to defer the fix to the dot-0 kernel coming with 5.4... > but I see that they have submitted *three* updates for Fedora 11* > so they may be having problems ... > > * kernel-2.6.29.6-217.2.7.fc11 I think this is the only one released yet. > kernel-2.6.30.5-28.rc2.fc11 > and kernel-2.6.30.5-32.fc11 Rebase to 2.6.30 causing other problems? > [ If I were paying for support from Red Hat I would take a one > one month holiday at the end of my current contract as a protest > at the delay, unless I knew what was going on. > ] Really not into TUV bashing, but: If you were paying for support, you'd receive a very polite response with pointers to BZ #516949 and KB #18065 when asking for the ETA for a true solution. You'd also learn that this is a severity 3 (medium) issue. -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany
