Comment 7 for bug 1164575

Thanks for the comments, Mike. I agree with you on all counts; while revisiting oils_sql.c's overall structure is probably a really good idea, time is of the essence here, for this level of vulnerability and I think a 2.1 release is warranted for something of this potential magnitude. (It may be that TPAC exposed the vulnerability in a way that wouldn't be as easily tripped across in 2.1 via the JSPAC, but...)

I would suggest for 2.1 that we take the existing release tarball, drop in the patched oils_sql.c, add an entry to the changelog / release notes, and retar it. We could bump the release numbers in the various places, too. But I would not want to go through the full checkout & build a tarball from scratch process for 2.1; that seems unwarranted and actually riskier to me. I'm willing to create the new 2.1 release tarball. (And we can prep the 2.1 release branch over in the security repo, so that we can just push the same branch into the real repo when it's release time).