IRC remote crasher and patch
elb at pidgin.im
Mon Jul 18 10:04:11 EDT 2011
Jan Lieskovsky spake unto us the following wisdom:
> Since the bug (and relevant reproducer:
> are public already, the CVE identifier should be requested via
> oss-security mailing list:
>  http://oss-security.openwall.org/wiki/mailing-lists/oss-security
> But please keep in mind, it is a public mailing list (so as soon as
> you post CVE request there, the whole issue will be public). So CVE
> identifier should be requested only one / two days before new upstream
> release is public.
OK, thanks for the procedural information.
> Since the issue is semi public, we can not allocate a CVE identifier
> any more (since we would risk Mitre would assign another one for the
> same issue and this can result in CVE rejection process etc).
> So safer if you would request it there, once upstream ready (should be
> allocated within 1-2 days).
> >A patch to fix this problem is attached. It will be included in 2.9.1
> >when it is released, which will hopefully not be too far off. At that
> >time, vendors should feel free to apply the attached patch to their
> Hopefully a more exact time estimation, when we can expect the
> v2.9.1 release to be public?
I don't know yet. There are some other fixes being worked on. We're
planning on a proper string freeze and release, so you'll have at
least a few days of notice for that. We will keep this list posted on
the release time frame, and I will let you know when the email goes to
oss-security, as distributions should feel free to apply the fix at
that time, I guess.
We may need to discuss this one, maybe the proverbial cat is already
out of the bag and I need to just push the patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 482 bytes
Desc: Digital signature
More information about the Packagers