Date: Fri, 06 Mar 2015 23:26:53 +1300 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-0881 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/03/2015 8:08 p.m., Kurt Seifried wrote: > So for those of us vendors/etc that need to backport security > fixes and/or confirm our software is fixed how are we supposed to > do this? > > How long will the patch/attack information be embargoed for? > > Also why has this been covered up for over 5 years and is now still > a secret? I'm very confused and I have some grave concerns about > how JVN/upstream is handling this. Until today it seems: https://jvn.jp/en/jp/JVN64455813/index.html Patch is <http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch> if you want to try back-porting. Take care though if you do, all the earlier versions have different logics surrounding how the connection data gets accounted. I hope this one is better for you. Still outstanding on Mitre's verdict about the CVE number though. JPCERT tell me that should be next week, but you probably know more than me how reliable an estimate that is. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJU+YDtAAoJEGvSOzfXE+nLAr0P/A2t1MnOAlMFdiWfaIekX3YU 3ONgvIXzBvI9jisBGO1PwREPhZ6M7CC8ogLwgyw07Em67aZ8BjKJg6CnbTE+7ioE hxtU6YnvAP6zbhtsjHuJoYEX/os93WrfTcnLQ81leGoHRpff59AYrFZaxI4gR5oo 9FfjTkpZwwghVwcrFIGPlsQLgHVUg3YX+giDjdzGKJWCmr/kVq6dTuqkwKthyQC9 r7ITCdy4t8VRcT8mEpUolN/caNbcJyK+1JhLILDD8F6J713U9DHpCKdhODbK0dhQ bDWmmUCjnUmpO+gCpoUqRovYODhq/80JbZlz1uI0aRmIc35SaPPGnjox58CN1gLs pBxNED4vY+OmfO/FjOF4a6D6WFm1vgHekCjl2jOijtdiAH9NvJg049yhc/hNfq/t Jkcbqtf7Soyu20GmVAdKqO0OAcF9Cban+Z7O5Ce3J5R6ipHzJDGFWXoZWGR3Kz2R qRK2r1h9j4hKDuD1hMAUwI5o23BfpJ0zLPT7Fe94bqNhx6kB8ouWAH8Ey49Mz76e FxDCWX597vu2ConCQG6pWM/XC36aEK/bBbgt2G1dARbwExKWUa8am3Up5PFlzqN8 oGAHK/Bf0iskDu8EFOMt7/8InI3tPC2aikRYBwdbQLBpv9sIErkNXn0WN/GnVTFW 1udFgNsQqloS4PAPDxdh =E5sM -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ