On Mon, Jun 30, 2008 at 01:58:32PM -0700, Quanah Gibson-Mount wrote: > --On Monday, June 30, 2008 1:34 PM -0700 Steve Langasek <[EMAIL PROTECTED]> > wrote:
> >> An upstream patch seems to be here: > >> http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1= > >> 1.120&r2=1.121&hideattic=1&sortbydate=0 > > According to the bug state, this bug fix is still being tested upstream, > > so it would be premature to upload this patch yet. > You may wish to read the commit message. ;) > 1.121 Fri Jun 27 00:36:41 2008 UTC; 3 days, 20 hours ago by hyc > CVS Tags: HEAD > Changed since 1.120: +6 -8 lines > Diffs to 1.120 (colored diff) > ITS#5580 fix length decoding, verified with PROTOS Well, that can only prove that it's no longer vulnerable, right, not that it still works after the fact? ;) I'm still inclined to wait until I see upstream bless this patch before pushing out a fix to unstable. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
