Moving forward on two security bugs

Ethan Blanton elb at
Mon Feb 8 08:04:01 EST 2010

Mark Doliner spake unto us the following wisdom:
> The bugs are:
> 1. CVE-2010-0277, the MSN SLP use-after-free bug from Fabian
> Yamaguchi.  The public is aware that there might be problems, but not
> aware of the specifics.  Probably shouldn't wait too much longer on
> this one.  No embargo date set.
> 2. The Jabber too-many-smileys-causes-a-hang bug.  Not widely known.
> Not super urgent.  No embargo date set.  We said we'd wait a few weeks
> if other projects wanted to investigate fixing, but no other projects
> responded (to my knowledge).
> How should we move forward on these?  Options are:
> 1. Wait a week or two or three and release 2.6.6 with updated
> translations and both of these fixes.

I am in favor of freezing for 2.6.6 and releasing sooner rather than
later, on this plan.  I think we should query the ocert/psi/etc.
people about that to make sure they're OK with it, but I don't
anticipate a problem.


The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <>

More information about the security mailing list