Red Hat Product Security takes pride in the quality and timeliness of its Security Advisories and all the accompanying information we publish for every erratum and vulnerability that we track and fix in our products. There are many ways in which customers and the general public can get notified about those advisories and errata and one of the most commonly used is the rhsa-announce mailing list. This list has been around for nearly 10 years, and we have recently taken steps to increase its usefulness for a wider variety of subscribers.
E Pluribus Mail Unum
The rhsa-announce mailing list was created in November of 2007 with the purpose of delivering information about all security advisories published by Red Hat regardless of the product family they affected. Before rhsa-announce there were two mailing lists, enterprise-watch-list and jboss-watch-list, with the latter having been created earlier that year (March 2007) and the former going way back to March 2003. That is 14 years of security advisories archived publicly in a simple text format that makes it easy for search engines to index them.
Over time our product portfolio expanded and new mailing lists were created, maintaining the usual behavior with rhsa-announce receiving all advisory email and the lists specific to a “product family” received only those that affected those particular products. This led to the creation of rhev-watch-list and storage-watch-list (anyone remembers stronghold-watch-list?), which have been a little less popular (hundreds of subscribers) than the original ones (thousands of subscribers).
As Red Hat’s product portfolio continues to expand this raised a few questions. Are we just going to continue creating new lists? How do we expect interested people to find out about those lists? Is there a better way forward? Well, it turns out there is: mailing lists managed by MailMan can support topics, which is a way to create “sub-lists” inside a list by matching keywords in certain headers. Subscribers can update the topics they subscribe to at any time without having to manage multiple subscriptions and perhaps multiple filters in their email clients. We are therefore making rhsa-announce the one and only mailing list for all Red Hat Security Advisories, with topics support for selecting specific security impacts of the published errata, or specific product families one is interested in, starting on June 1st.
Call to Action: if you currently subscribe to any security advisory mailing list at Red Hat other than rhsa-announce, please unsubscribe from them and select the topics you are interested in at rhsa-announce instead.
Subscribing to Specific Topics in RHSA-Announce
Subscribing to rhsa-announce is very easy: just visit the mailing list information page and follow the instructions in the “Subscribing to RHSA-announce” section; alternatively, send an email to email@example.com with a subject of “subscribe”. Either method should send you a confirmation email with instructions to confirm your subscription. The subscription section looks like this:
Once you are subscribed, go to the subscription options page, log in, and scroll down to the list of topics to select those that you are interested in (see the screen capture below). You will need your rhsa-announce subscription password to access that page (the one you entered in the WebUI or that MailMan generated for you if you subscribed via email). After selecting your topics of interest, click on “Submit My Changes” at the bottom of the page to save your options.
The topics for Critical, Important, Moderate, and Low severity issues match for every product so, for example, selecting “Critical Severity Issues” delivers email about advisories of Critical impact affecting every Red Hat product. The topics for specific product lines match on every product in that group so “Middleware products issues” matches and delivers all advisory emails, of any severity, concerning our Middleware products.
Unfortunately one cannot subscribe to intersections of topics; it is not possible to subscribe only to “Critical advisories for OpenStack” or similar. The topic subscription is a union of all topics selected. Another detail worth mentioning is that MailMan topic filtering is sometimes “too inclusive”, and some advisories may match more than the expected topics, depending on the contents of some email headers. Topics do not miss a product advisory email, though, they just may sometimes include messages for a product outside the expected group.
If one wishes to unsubscribe from rhsa-announce (or any other list hosted by Red Hat), that can also be done from the list options page or by sending an email to firstname.lastname@example.org with a subject of “unsubscribe”. For other lists the operation is similar: just append “-email@example.com” to the list name to obtain the address to send the unsubscribe command to, such as firstname.lastname@example.org.
Finally, it should be noted that rhsa-announce is not meant for general discussion of advisories; it is a read-only mailing list. Questions regarding advisories can be sent to Red Hat Support or to Red Hat Product Security.
Other Sources of Errata Notifications and Vulnerability Information
While we’re on the subject of receiving notifications about Red Hat Security Advisories and our security errata, it should be mentioned that email is not the only way to get that information. The Product Security section of the Red Hat Customer Portal contains a wealth of information about our advisories, individual CVEs, blog posts, and more. Certain vulnerabilities need special attention sometimes because they are truly severe and sometimes because we feel the need to dispel some myth involving scary logos and catchy names. Those get a more detailed article in the Vulnerability Responses section of the Portal. Logged-in users that have active Red Hat Subscriptions can also proceed to the notifications area of the Customer Portal and select from a nice amount of errata notification options to receive more personalized notifications.
For those interested in automation, in addition to the usual machine-consumable CVRF and OVAL data we have been providing for years, we also provide a Security Data API that everyone is welcome to make reasonable use of and easily query for many kinds of security information they are interested in regarding our products.
As can be seen, there are many options for consuming our published security advisory information. This continues our tradition of providing objective and timely security advice as transparently and openly as possible, something Red Hat Product Security is very proud of.