Propagating security fixes efficiently
Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:
> Red Hat has recently released a Security Advisory (RHSA-1999:030-01)
> covering a buffer overflow in the vixie cron package. Debian has
> discovered this bug two years ago and fixed it. Therefore versions
> in both, the stable and the unstable, distributions of Debian are
> not vulnerable to this problem..
Do there now exist arrangements to ensure that Red Hat get to hear
about Debian's security fixes, and vica versa? (And similarly with
regard to other Linux distributions, *BSD, ...) Clearly such
arrangements either didn't exist, or failed in some way, for this bug
two years ago.
Equally importantly - how many other bugs are fixed only in one
vendor's code, and still waiting to bite the rest of us? How best to
chase them down?