IRC remote crasher and patch
Ethan Blanton
elb at pidgin.im
Mon Jul 18 10:04:11 EDT 2011
Jan Lieskovsky spake unto us the following wisdom:
> >http://developer.pidgin.im/ticket/14341
>
> Since the bug (and relevant reproducer:
> http://developer.pidgin.im/ticket/14341#comment:14)
>
> are public already, the CVE identifier should be requested via
> oss-security mailing list:
> [1] http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>
> But please keep in mind, it is a public mailing list (so as soon as
> you post CVE request there, the whole issue will be public). So CVE
> identifier should be requested only one / two days before new upstream
> release is public.
OK, thanks for the procedural information.
> Since the issue is semi public, we can not allocate a CVE identifier
> any more (since we would risk Mitre would assign another one for the
> same issue and this can result in CVE rejection process etc).
>
> So safer if you would request it there, once upstream ready (should be
> allocated within 1-2 days).
>
> >A patch to fix this problem is attached. It will be included in 2.9.1
> >when it is released, which will hopefully not be too far off. At that
> >time, vendors should feel free to apply the attached patch to their
> >packages.
>
> Hopefully a more exact time estimation, when we can expect the
> v2.9.1 release to be public?
I don't know yet. There are some other fixes being worked on. We're
planning on a proper string freeze and release, so you'll have at
least a few days of notice for that. We will keep this list posted on
the release time frame, and I will let you know when the email goes to
oss-security, as distributions should feel free to apply the fix at
that time, I guess.
We may need to discuss this one, maybe the proverbial cat is already
out of the bag and I need to just push the patch.
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110718/7acdb3e3/attachment.pgp>
More information about the Packagers
mailing list