Moving forward on two security bugs
Ethan Blanton
elb at pidgin.im
Mon Feb 8 08:04:01 EST 2010
Mark Doliner spake unto us the following wisdom:
> The bugs are:
> 1. CVE-2010-0277, the MSN SLP use-after-free bug from Fabian
> Yamaguchi. The public is aware that there might be problems, but not
> aware of the specifics. Probably shouldn't wait too much longer on
> this one. No embargo date set.
> 2. The Jabber too-many-smileys-causes-a-hang bug. Not widely known.
> Not super urgent. No embargo date set. We said we'd wait a few weeks
> if other projects wanted to investigate fixing, but no other projects
> responded (to my knowledge).
>
> How should we move forward on these? Options are:
> 1. Wait a week or two or three and release 2.6.6 with updated
> translations and both of these fixes.
I am in favor of freezing for 2.6.6 and releasing sooner rather than
later, on this plan. I think we should query the ocert/psi/etc.
people about that to make sure they're OK with it, but I don't
anticipate a problem.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100208/d3b976ec/attachment.pgp>
More information about the security
mailing list