>My view is CERT is doing EXACTLY what is needed. That is informing
>the masses as to possable security problems.
This is certainly a necessary service, but...
>I would expect that
>you would turn to your UNIX vendor for more detailed information
>instead of CERT.
That's fine of you have a homogenous unix environment and your
vendor is responsive and accomodating (ha ha). But if you have IBMs,
SUNs, neXTs, DECs, etc., possibly in an organization spanning a lot
of physical geography, this is a very painful process.
Perhaps one solution is a clearinghouse for security-related fixes
to which all vendors can contribute. Ideally, these fixes would be
cross-referenced with CERT and other advisories so a system administrator
could ask "what fixes from all vendors address advisory xxx?"
Perhaps this has already done. If so, show me to it!