Remote crash in Finch

Sadrul Habib Chowdhury sadrul at
Tue Feb 9 22:28:23 EST 2010

* Mark Doliner had this to say on [09 Feb 2010, 16:11:22 -0800]:
> On Tue, Feb 9, 2010 at 10:03 AM, Ethan Blanton <elb at> wrote:
> > Sadrul Habib Chowdhury spake unto us the following wisdom:
> >> How do we deal with this issue? From the looks of things, it appears
> >> the remote exploitability in finch is still 'unknown', and we can
> >> probably get away with a scheduled release of 2.6.6 in a week's time. In
> >> the meantime, I believe we should request for a CVE# and notify the
> >> packagers?
> >
> > Agreed on all points, assuming we actually release 2.6.6 in a timely
> > fashion.
> >
> > Josh Bressers can issue us a CVE on the spot for non-disclosed issues,
> > and (I believe) he is on packagers at .
> Agreed on all points.  Sadrul, want to email packagers@ with a short
> description of the bug and ask Josh if he can assign a CVE#?  I'd hold
> off on sending a patch to that list for now.


> I'm planning on emailing
> them a summary of the three vulnerabilities with patches probably
> tomorrow night.

Sounds good to me.


More information about the security mailing list