On 10/02/2014 03:39 AM, Karanbir Singh wrote:
even to the point that when heartbleed happened - I had to go remind them that every SL version and every user instance was exploiteable; unlike RHEL and CentOS where only folks who had updated in the few weeks leading upto the issue being reported.
There were about 12 weeks between the publication of SA-2014:0015 (January) and SA-2014:0376 (April) by RedHat, CentOS and SL.
Your notification was considerate, but did not provide any new information. We had already published the SA-2014:0376 update for all SL 6 releases and notified our userbase.
Per our publication practices, we published the SA-2014:0015 (security classification Important) for all SL6 releases. It protected against the following CVEs: CVE-2013-6449 CVE-2013-6450 CVE-2013-4353
Similarly, we published SA-2014:0376 (security classification Important) for all SL6 releases. It protected against the following CVE: CVE-2014-0160 (heartbleed)
OpenSSL packages published before SA-2014:0015 contain CVE-2013-6449 CVE-2013-6450. BA-2013:1585-1 contains CVE-2013-4353. OpenSSL packages published after BA-2013:1585-1 and before SA-2014:0376 contain CVE-2014-0160.
We were fully aware of which versions of openssl contained CVE-2014-0160 and which SL versions contained the vulnerability.
Pat