Re: Releasing new libspf2 into debian
Date: Thu Sep 18 11:33:01 2008
From: Shevek <email address hidden>
To: Scott Kitterman <email address hidden>
CC: Magnus Holmgren <email address hidden>
On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.
I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.
I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.
Re: Releasing new libspf2 into debian
Date: Thu Sep 18 11:33:01 2008
From: Shevek <email address hidden>
To: Scott Kitterman <email address hidden>
CC: Magnus Holmgren <email address hidden>
On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.
I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.
I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.
S.