Fwd: [Advisories] Libpurple security vulnerability CORE-2009-0727

Mark Doliner mark at kingant.net
Fri Jul 31 02:16:00 EDT 2009

On Thu, Jul 30, 2009 at 7:27 PM, Stu Tomlinson<stu at nosnilmot.com> wrote:
> On Fri, Jul 31, 2009 at 03:17, Warren Togami<wtogami at redhat.com> wrote:
>> I heard in #pidgin that August 3rd is planned for pidgin-2.6.0 release.
> I think you heard that the string freeze had been extended until then.
> That does not necessarily mean that's the release date.
>> Our security team is wondering what does pidgin upstream plan to do?
>> 1) Release pidgin-2.6.0 patched for this vulnerability and do not respect
>> embargo.  (Seems to be standard procedure in the pidgin past, although this
>> gives a heart attack to the security response people.)
>> 2) Delay pidgin-2.6.0 until embargo lift.
>> 3) Release pidgin-2.6.0 on schedule, prepare pidgin-2.6.1 for embargo lift
>> with only this and critical fixes found since 2.6.0.
>> I think option #3 makes the most sense. Thoughts?
> My personal preference is for #2.
> (without discussing with any other pidgin developers) I'd also like to
> consider releasing 2.5.9 with this and any other critical fixes at the
> same time. 2.6.0 might be too adventurous for some.

I agree, my personal preference is also for #2.  And I think releasing
2.5.9 with the fix is reasonable.

A reminder to developers: We should avoid checking in any changes
related to this until shortly before the embargo date, since that
makes the problem semi-public (or is that what qulogic's changes were
earlier tonight?).


More information about the Packagers mailing list