|Critical or Not
||[Jun. 30th, 2006|04:51 pm]
One thing many people apparently don’t understand is that the same reported security problem can have different severity levels for different distributions. This is why one distribution might have to issue a security update right away when the vulnerability is made public while others can wait.|
RHEL (especially RHEL4) has many security features which can alleviate many problems. Critical problems suddenly are not critical anymore since the security features will prevent the remote exploit. This is why we spent so much time on the security features.
So, next time you see somebody complain that a RHEL update for a vulnerability is not released
in time make sure Red Hat does not classify the bug differently than your other distribution. Given that we are not shipping all kinds of junk and we can classify some vulnerabilities as less severe we can focus on the inevitable remaining problems.