On 10/02/2014 03:39 AM, Karanbir Singh wrote: > even to the point that when heartbleed > happened - I had to go remind them that every SL version and every user > instance was exploiteable; unlike RHEL and CentOS where only folks who > had updated in the few weeks leading upto the issue being reported. There were about 12 weeks between the publication of SA-2014:0015 (January) and SA-2014:0376 (April) by RedHat, CentOS and SL. Your notification was considerate, but did not provide any new information. We had already published the SA-2014:0376 update for all SL 6 releases and notified our userbase. Per our publication practices, we published the SA-2014:0015 (security classification Important) for all SL6 releases. It protected against the following CVEs: CVE-2013-6449 CVE-2013-6450 CVE-2013-4353 Similarly, we published SA-2014:0376 (security classification Important) for all SL6 releases. It protected against the following CVE: CVE-2014-0160 (heartbleed) OpenSSL packages published before SA-2014:0015 contain CVE-2013-6449 CVE-2013-6450. BA-2013:1585-1 contains CVE-2013-4353. OpenSSL packages published after BA-2013:1585-1 and before SA-2014:0376 contain CVE-2014-0160. We were fully aware of which versions of openssl contained CVE-2014-0160 and which SL versions contained the vulnerability. Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/