MSN SLP Security Vulnerability
mark at kingant.net
Wed Jun 18 14:19:41 EDT 2008
On Wed, 18 Jun 2008 07:55:31 -0400, Stu Tomlinson wrote
> On Wed, 2008-06-18 at 06:20 -0400, Luke Schierer wrote:
> > On Tue, Jun 17, 2008 at 09:39:21PM -0500, Richard Laager wrote:
> > > We received a report of a security vulnerability. I don't know how these
> > > things are typically handled, but we should cut a release soon. Ethan
> > > suggested a fix. I built a patch. How should we proceed?
> > >
> > > Richard
> > Commit it with something fairly inocous as the commit message, then move
> > directly into release without string freeze as soon as we are in a
> > stable enough position to do so.
> I don't know the details of the vulnerability or the proposed fix,
> but I suggest we release 2.4.3 as a security-fix only release
> (possibly also with those XML memory leaky things fixed too),
> branched from 2.4.2 instead of releasing whatever happens to be in
> i.p.p currently.
This sounds good to me. Has the vulnerability been released publicly? If not
we might want to set an embargo date a few days in the future to give the
packagers time to prepare new packages for their respective distributions.
More information about the Packagers