This week the number of updates released was rather slim. This comes on the back of last week which saw the release of Red Hat Enterprise Linux 5. I think the most noteworthy thing that happened this week was Symantec's 11th annual
Internet Security Threat Report.
On page 40, the response time for each vendor is shown. Red Hat is listed as being the second most responsive vendor, behind Microsoft. I suspect this data can be taken with a grain of salt as Red Hat tends to make an effort to fix security flaws rated as having a low severity. If we stopped fixing low severity flaws, our stats would look great, but this would also be a disservice to our users. At the same time, we don't want to overload users with a swath of low severity flaws. The middle ground we decided on was to sit on low severity flaws until there is another update for a given package. That means that if we find a low severity flaw in say ImageMagick, we will wait until there is a higher severity security flaw being fixed in ImageMagick, or a non security ImageMagick update.
One of our goals is to ensure that the security response process is a service to our users, not make reports look good. A goal of the Red Hat Security Response Team is to appear as transparent as possible; all of our statistics are available to anyone who wants them here:
http://people.redhat.com/~mjc/metrics.html
Security Updates
- xen
Fixed in FC5, FC6.
- libwpd
Fixed in FC5, FC6.
- OpenOffice.org
Fixed in Red Hat Enterprise Linux 3, 4, and 5.
- file
Fixed in Red Hat Enterprise Linux 5
