MSN SLP Security Vulnerability

Mark Doliner mark at kingant.net
Wed Jun 18 14:19:41 EDT 2008


On Wed, 18 Jun 2008 07:55:31 -0400, Stu Tomlinson wrote
> On Wed, 2008-06-18 at 06:20 -0400, Luke Schierer wrote:
> > On Tue, Jun 17, 2008 at 09:39:21PM -0500, Richard Laager wrote:
> > > We received a report of a security vulnerability. I don't know how these
> > > things are typically handled, but we should cut a release soon. Ethan
> > > suggested a fix. I built a patch. How should we proceed?
> > > 
> > > Richard
> > 
> > Commit it with something fairly inocous as the commit message, then move
> > directly into release without string freeze as soon as we are in a
> > stable enough position to do so.
> 
> I don't know the details of the vulnerability or the proposed fix, 
> but I suggest we release 2.4.3 as a security-fix only release 
> (possibly also with those XML memory leaky things fixed too),
>  branched from 2.4.2 instead of releasing whatever happens to be in 
> i.p.p currently.

This sounds good to me.  Has the vulnerability been released publicly?  If not
we might want to set an embargo date a few days in the future to give the
packagers time to prepare new packages for their respective distributions.

-Mark



More information about the Packagers mailing list