Fwd: [Advisories] Libpurple security vulnerability CORE-2009-0727

Stu Tomlinson stu at nosnilmot.com
Thu Jul 30 22:27:11 EDT 2009


On Fri, Jul 31, 2009 at 03:17, Warren Togami<wtogami at redhat.com> wrote:
> I heard in #pidgin that August 3rd is planned for pidgin-2.6.0 release.

I think you heard that the string freeze had been extended until then.
That does not necessarily mean that's the release date.

> Our security team is wondering what does pidgin upstream plan to do?
>
> 1) Release pidgin-2.6.0 patched for this vulnerability and do not respect
> embargo.  (Seems to be standard procedure in the pidgin past, although this
> gives a heart attack to the security response people.)
>
> 2) Delay pidgin-2.6.0 until embargo lift.
>
> 3) Release pidgin-2.6.0 on schedule, prepare pidgin-2.6.1 for embargo lift
> with only this and critical fixes found since 2.6.0.
>
> I think option #3 makes the most sense. Thoughts?

My personal preference is for #2.

(without discussing with any other pidgin developers) I'd also like to
consider releasing 2.5.9 with this and any other critical fixes at the
same time. 2.6.0 might be too adventurous for some.

Regards,


Stu.



More information about the Packagers mailing list