There are no guarentees of anything. As the web site says "In fact, if
you need a fully tested and supported OS you probably should go buy their
[Red Hat's] box set."

That said, John has been very good about getting updates out.

As it happens, John is currently away at a Library-related convention.
However, he has high-speed internet in his hotel room; there's a fair
chance a package could show up tonight.

However, one guarantee you have for White Box is that the RedHat *source*
RPMs are freely available, and any WhiteBox installation with the build
chain installed *should* be able to rebuild the RH source package - the
advantage of John doing it is that it goes to the mirrors, and up2date
knows about it.

However, like any other security threat, each threat must be evaluated in
terms of *your* system, and your reaction should match - should you look
at the Security Alert and dive into the code yourself to fix it *NOW*, or
wait for the project managers to issue a fix, and build it into a package,
or wait for your distro vendor to release a package. Can you live with
that service running, or do you need to shut it down *NOW* - and if you do
shut it down, does it shut down your business?

One of these millennia, we'll have a one-size-fits-all distro - and I hope
I never see it - because it'll be the worst thing that could possibly
happen to Linux.

First, that would be an issue to bring up with RedHat. Second, RedHat
usually backports security patches into the same version they are already
distributing rather than upgrading to fix the security hole. I haven't
looked at the details, but I would suspect RedHet's recent advisory on
OpenSSL includes the changes made in 0.9.7d.