Pending disclosure date for MSN vulnerability

Mark Doliner mark at
Mon Aug 17 13:13:39 EDT 2009

On Sun, Aug 16, 2009 at 7:58 PM, John Bailey<rekkanoryo at> wrote:
> As has been discussed here previously, CORE has set a date of August 18 for
> disclosure of the vulnerability in the MSN prpl.  There was talk of trying to
> get more time to prep a coordinated release.  I have not seen any further
> mention of whether anyone has contacted CORE for this, so I'm assuming we're
> still on for the Tuesday deadline.
> To that end, I have committed the patches discussed here for both the MSN
> vulnerability and the file transfer filename crash to im.pidgin.pidgin in my
> local database but have not yet pushed.  I have also done the usual grabbing of
> changelog entries and whatnot from the 2.5.9 branch I created and tagged on.
> Currently what I need to know is:
>  * are we going to release on Tuesday?

I'm in favor of Tuesday.  (And I haven't seen anyone mention
delaying--was that on IRC or something?)

>  * when can I push my local changes to  That is, do I need to
> collect and merge any further changes on im.pidgin.pidgin and continue to sit on
> the changes I mentioned above up until tag and release time?

Yeah you should wait until Tuesday to push the changes.  And maybe do
a pull/merge around the same time that you push.


More information about the Packagers mailing list