On Fri, Feb 26, 2021 at 02:23:47PM +0000, Patrick Riehecky wrote: > RHEL is built in private. They can build the embargoed update whenever > they want, stage it for release, and maintain the privacy of the CVE. > > This means there is a certainty that EMBARGOED updates will get into > RHEL first. This is the same situation with Fedora. It is sometimes but not always the case that Fedora package maintainers are aware of the embargoed issue (either as part of RH work or through some other connection), but often isn't. Generally, once the issue is public, RH maintainers work very quickly to get the fix into Fedora Linux. -- Matthew Miller <mattdm at fedoraproject.org> Fedora Project Leader