[Advisories] Libpurple security vulnerability CORE-2009-0727

[Luke Schierer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jul 30, 2009, at 22:37 EDT, Stu Tomlinson wrote:

> On Fri, Jul 31, 2009 at 03:33, Luke Schierer<lschiere at pidgin.im>  
> wrote:
>> To me the biggest question is can we *correctly* fix this issue  
>> this time
>> around, since, if I read this report correctly, they are informing  
>> us that
>> our previous fix didn't actually fix.
>
> Irrespective of whether we can fix it in time or not, I suggest
> delaying any further releases until we think we can fix it.
>
>> Given that we can, yes, I'd like to see the fixes come out in about  
>> the same
>> timeframe as news of the vulnerability.  but I recognize that we have
>> historically been really really bad about waiting for a truly co- 
>> ordinated
>> release.
>
> And if we can't/don't have a fix yet/whatever you think we should
> press ahead and release unfixed shiny new features anyway?
>
> Regards,
>
>
> Stu.

The original email I received indicated that they may be willing to  
hold off publishing if we can give them a realistic timeline for when  
we could have it fixed by.

I hadn't really thought about the potential for releases between now  
and then.  I guess I just assumed that *if* we could fix it sooner,  
and get the fix to our packagers sooner, then we'd tell Core Security  
that they could publish sooner.

Now that you have me thinking about it, no, I don't think we should  
release a 2.6.0 between now and fixing it, too many people would grab  
that and neglect to grab a 2.6.1.  If however there were something  
other than this critical to fix, I don't think I'd object to having a  
2.5.9 fixing something else before we fix this.

Luke
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkpyWvcACgkQUsDanPbyGdlF5ACbBrmBi3PIO3tTTpAD9/zmigDY
ROsAn1X/3j6qopJfqmgoA9O/b0H+qKDz
=QUEe
-----END PGP SIGNATURE-----