IRC remote crasher and patch

Ethan Blanton elb at
Mon Jul 18 10:04:11 EDT 2011

Jan Lieskovsky spake unto us the following wisdom:
> >
> Since the bug (and relevant reproducer:
> are public already, the CVE identifier should be requested via
> oss-security mailing list:
> [1]
> But please keep in mind, it is a public mailing list (so as soon as
> you post CVE request there, the whole issue will be public). So CVE
> identifier should be requested only one / two days before new upstream
> release is public.

OK, thanks for the procedural information.

> Since the issue is semi public, we can not allocate a CVE identifier
> any more (since we would risk Mitre would assign another one for the
> same issue and this can result in CVE rejection process etc).
> So safer if you would request it there, once upstream ready (should be
> allocated within 1-2 days).
> >A patch to fix this problem is attached.  It will be included in 2.9.1
> >when it is released, which will hopefully not be too far off.  At that
> >time, vendors should feel free to apply the attached patch to their
> >packages.
> Hopefully a more exact time estimation, when we can expect the
> v2.9.1 release to be public?

I don't know yet.  There are some other fixes being worked on.  We're
planning on a proper string freeze and release, so you'll have at
least a few days of notice for that.  We will keep this list posted on
the release time frame, and I will let you know when the email goes to
oss-security, as distributions should feel free to apply the fix at
that time, I guess.

We may need to discuss this one, maybe the proverbial cat is already
out of the bag and I need to just push the patch.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the Packagers mailing list