On Sat, 6 Apr 2013, Michael Gilbert wrote:
I'm not seeing any new kerberos releases: http://web.mit.edu/kerberos/krb5-1.10
Current Kerberos Security Team policy is to not issue security advisories for null pointer dereference crashes. We assign CVE numbers for tracking, but do not delay publishing a fix until a new point release is available.
Is this perhaps not meant to be public knowledge yet?
The patch is intentionally public. Note that a user must be authenticated in order to trigger the crash.
-Ben -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
