Moving forward on two security bugs

Mark Doliner mark at kingant.net
Mon Feb 8 05:45:19 EST 2010


The bugs are:
1. CVE-2010-0277, the MSN SLP use-after-free bug from Fabian
Yamaguchi.  The public is aware that there might be problems, but not
aware of the specifics.  Probably shouldn't wait too much longer on
this one.  No embargo date set.
2. The Jabber too-many-smileys-causes-a-hang bug.  Not widely known.
Not super urgent.  No embargo date set.  We said we'd wait a few weeks
if other projects wanted to investigate fixing, but no other projects
responded (to my knowledge).

How should we move forward on these?  Options are:
1. Wait a week or two or three and release 2.6.6 with updated
translations and both of these fixes.
2. Release small patch release 2.6.6 which fixes the MSN bug.  Then
release 2.6.7 a month or so after that with updated translations and
the Jabber fix.

--Mark


More information about the security mailing list