On Fri, Aug 14, 2015, at 12:31, Mason Loring Bliss wrote: > > > The packages are there, so I don't understand how you observe these > > packages to still be vulnerable. > > How about, two of them were vulnerable until I wrote to the list with the > dismaying thought that we were going to ship vulnerable packages, at > which > point someone with the ability to push packages around decided to fix > them...? >
My mistake, I didn't notice they were published after your initial email. Looking at the timestamps for Firefox 40.0,1 getting committed: HEAD r393690 Fri Aug 7 12:02:41 2015 UTC 2015Q3 r393958 Tue Aug 11 18:29:59 2015 UTC Ok, that took much longer than usual. The MFH requests are usually processed quickly. I checked my emails an the MFH request was processed & approved a few hours after the commit. Now to add further complications, Firefox 40.0,1 received a lot of complaints about very frequent crashing (PR 202174). It wasn't until a bit later that it was fixed at r393805 on Sunday. Basically, 2015Q3 users didn't receive Firefox 40.0 until several changes went into HEAD. They could have received the update same day for the sake of security, but I'm not sure what good it would have been if the browser was unusable. I'm not going to make excuses -- I wish it could have been pushed out faster. I just hope this helps clear up what was going on with this incident, though. We will continue to push forward and learn from mistakes. > That said, I will happily use the mechanisms you noted if I see this sort > of > situation in the future, and I am sincerely, deeply grateful that the > high- > profile stuff I pointed out was fixed so rapidly in response to my > pointing > it out. > _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
