MSN SLP Security Vulnerability

Stu Tomlinson stu at
Wed Jun 18 07:55:31 EDT 2008

On Wed, 2008-06-18 at 06:20 -0400, Luke Schierer wrote:
> On Tue, Jun 17, 2008 at 09:39:21PM -0500, Richard Laager wrote:
> > We received a report of a security vulnerability. I don't know how these
> > things are typically handled, but we should cut a release soon. Ethan
> > suggested a fix. I built a patch. How should we proceed?
> > 
> > Richard
> Commit it with something fairly inocous as the commit message, then move
> directly into release without string freeze as soon as we are in a
> stable enough position to do so.  

I don't know the details of the vulnerability or the proposed fix, but I
suggest we release 2.4.3 as a security-fix only release (possibly also
with those XML memory leaky things fixed too), branched from 2.4.2
instead of releasing whatever happens to be in i.p.p currently.



More information about the Packagers mailing list