On 10/02/2014 12:31 PM, Karanbir Singh wrote: > On 10/02/2014 06:00 PM, Pat Riehecky wrote: >> We were fully aware of which versions of openssl contained CVE-2014-0160 >> and which SL versions contained the vulnerability. > excellent, but you completely missed the point where all of SL installs > were potentially at risk, with no way to factor back or check any state > since there is no CVE validation being done. > > or are you doing cve validations and testing expoits actively now ? > > The CentOS Devel list seems to be the incorrect place to debate SL update policies. SLSA-2014:0376 was verified to fix CVE-2014-0160 on SL 6.0, 6.1, 6.2, 6.3, 6.4, and 6.5 for both i686 and x86_64. Without SLSA-2014:0015, SL 6.0, 6.1, 6.2, 6.3, and 6.4 systems are vulnerable to CVE-2013-6449 CVE-2013-6450. Pat -- Pat Riehecky Scientific Linux developer http://www.scientificlinux.org/