Fwd: [Advisories] Libpurple security vulnerability CORE-2009-0727

Warren Togami wtogami at redhat.com
Thu Jul 30 22:17:30 EDT 2009


>
> I am attaching a preliminary version of the advisory, written by
> Federico Muttis, encrypted with Luke's key. Don't hesitate to write back
> if you have any doubts or comments.  We are planning to release the
> advisory on August 18th, 2009.

Please note the August 18th embargo for releasing details of this 
vulnerability to the public.  Do we all agree to keep the embargo 
details private until August 18th?

I heard in #pidgin that August 3rd is planned for pidgin-2.6.0 release.

Our security team is wondering what does pidgin upstream plan to do?

1) Release pidgin-2.6.0 patched for this vulnerability and do not 
respect embargo.  (Seems to be standard procedure in the pidgin past, 
although this gives a heart attack to the security response people.)

2) Delay pidgin-2.6.0 until embargo lift.

3) Release pidgin-2.6.0 on schedule, prepare pidgin-2.6.1 for embargo 
lift with only this and critical fixes found since 2.6.0.

I think option #3 makes the most sense. Thoughts?

pidgin-2.7.0 was the planned point to require a minimum of glib-2.12 right?

Warren Togami
wtogami at redhat.com



More information about the Packagers mailing list