Am 06.03.2014 um 01:00 schrieb Michael Coffman michael.coffman@avagotech.com:
On Wed, Mar 5, 2014 at 4:44 PM, John R Pierce pierce@hogranch.com wrote:
On 3/5/2014 3:36 PM, Michael Coffman wrote:
Not sure what your environment looks like but the systems I manage are locked down and it's typically difficult to get them changed. We have hundreds of systems ( desktop, server and HPC systems) that are all the same rev with all the same packages. A large number of vendor packages and internally developed packages have to be re-qualified everytime anything is changed. So we don't change them often.
so you're a year behind on any security fixes.... why are you worried about this one, then?
This seems like it has more potentiol to impact users in my environment that are using a web browser to access sites outside our firewall. It seemed like a reasonable question to me as it looke like it might be easily updated. I did not realize that once the OS was vaulted, there were no more updates. Now I know so thanks...
The OS is not vaulted. I suggest to rethink the mental model of the OS point releases.
IMHO the above mentioned policy brings less security into the organization then it tries to suggest and do not forget that the most attacks came from internal.
There are more fixes to worry about
https://rhn.redhat.com/errata/rhel-server-6-errata.html
-- LF