It is pretty late for a mention of the last SSMG meetup, which occurred on 18th December at Red Hat Asia-Pacific, but I’m sharing this anyway. Eugene Teo spoke generally about the process of the handling of bug reports at Red Hat. A short biography of Eugene -
Eugene Teo works for the Red Hat Security Team (only one in AP). He focuses on Linux kernel security. He has been an active member of the Linux and open source community in Singapore for over a decade, having held different portfolios within the Linux Users’ Group of Singapore. Eugene has spoken at numerous conferences, including the Red Hat Summit, GNOME.Asia, and Linux Conference Australia.
Follow ups by Eugene through email
Hi all,
For those who attended my talk, thanks a lot. I hope you find it useful.
Here are a couple of notes that you will find useful:
- Red Hat published a risk report on the three years of Red Hat
Enterprise Linux 4. Feel free to read it at:
http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/
- How do you find out if Red Hat have fixed a particular named issue?
Most public security issues that affect Red Hat will already have an
assigned CVE number[1]. The CVE number will be formatted as
CVE-YYYY-XXXX where YYYY is a year, and XXXX is a 4 digit integer.
Use the Red Hat Network to see if we have issued updates that correct
this issue:
Example: http://rhn.redhat.com/errata/CVE-2008-3526.html
It is possible that an issue affects one of our products, but has not
had an update released yet. We track all known issues in bugzilla, and
place the CVE id in the summary line. Doing a bugzilla search for a
given CVE id should reveal if we are working on it.
Example: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-4554
If you do not see anything there perhaps this is an issue that for
some reason does not affect Red Hat. If so, we will have given an
official vendor statement to the National Vulnerability Database.
Example: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4618
[1] CVE stands for Common Vulnerabilities and Exposures (CVE). Check
Thanks, Eugene