Remote crash in Finch

Mark Doliner mark at kingant.net
Tue Feb 9 19:11:22 EST 2010


On Tue, Feb 9, 2010 at 10:03 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Sadrul Habib Chowdhury spake unto us the following wisdom:
>> How do we deal with this issue? From the looks of things, it appears
>> the remote exploitability in finch is still 'unknown', and we can
>> probably get away with a scheduled release of 2.6.6 in a week's time. In
>> the meantime, I believe we should request for a CVE# and notify the
>> packagers?
>
> Agreed on all points, assuming we actually release 2.6.6 in a timely
> fashion.
>
> Josh Bressers can issue us a CVE on the spot for non-disclosed issues,
> and (I believe) he is on packagers at .

Agreed on all points.  Sadrul, want to email packagers@ with a short
description of the bug and ask Josh if he can assign a CVE#?  I'd hold
off on sending a patch to that list for now.  I'm planning on emailing
them a summary of the three vulnerabilities with patches probably
tomorrow night.

--Mark


More information about the security mailing list