Re: Closed list

[Tomas Hoger <thoger () redhat com>]

On Tue, 17 May 2011 10:43:10 -0700 Oracle Security Alerts wrote:

> On 04/30/11 08:26 AM, Solar Designer wrote:
> > Does Oracle start to prepare security updates for Oracle Enterprise
> > Linux before or after Red Hat releases theirs?  If it's after, then
> > there's too little need for Oracle to have advance notification.
>
> If we know about vulnerabilities in advance, our fixing process
> starts before Red Hat releases their updates. It starts with
> assessment of issue, reviewing the fix for completeness and
> applicability to our kernel and components we maintain or provide in
> our Linux distribution. See
> http://www.oracle.com/us/technologies/linux/026042.htm
> or http://oss.oracle.com/
>
> We do not expect Red Hat or other vendors to evaluate impact of
> security vulnerabilities on Oracle Linux, nor fix it in a way that
> is applicable to our releases. Hence the request for subscription.

Maybe I'm mis-reading the above statement, but it seems to imply it's
not uncommon for you to re-do security patches that were applied to
RHEL packages before building them as OEL updates.  Do you have any
specific examples to point to (on- or off-list), so we can possibly
check what mistakes we did?

Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team