Questions about Pidgin security fix release

Mark Doliner mark at kingant.net
Tue Aug 9 17:02:00 EDT 2011


We have a few security fixes we need to release soon:
1. Remote crash in IRC prpl from non-ascii chars in a user's nickname
2. Remote crash in MSN prpl from improper handling of HTTP 100 Continue
3. The silly file:// execution thing
4. Possibly any bugs found by the EFF guys, but seems unlikely

Question #1:
Should we create a 2.9.1 release that contains only the fixes for
these bugs (and possible a few other important bug fixes)?  Or should
we just release everything in im.pidgin.pidgin as 2.10.0?

Question #2:
We need to pick a date to lift the embargo.  If we do 2.9.1 it could
be as soon as Friday.  If we do 2.10.0 it seems like we might want to
give translators a little time, in which case maybe we could release
during the second half of next week?  Maybe August 18?

My vote is 2.10.0 (because it's less work than creating a 2.9.1), and
August 18 (should give enough time for translators and packagers).

--Mark


More information about the security mailing list