Jonathan,
I'm definitely open to working with debian to find a way to get you
early access. We've guessed that was something some distributions
would like, but I haven't worked with each distro to figure out their
needs yet. Thanks for bringing the subject up.
For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the
non-public bugs (if you have another preferred webapp scoring system,
I'm happy to generate a score for you). Additionally, already publicly
in the release branches are patches to pass '2' to
CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl
connections.
Hope that helps!
Chris
Hi,
I wonder if we could co-ordinate early disclosure of forthcoming security
fixes, such as that due on 4th March, to nominated contacts at the
various distributions. I speak only with a Debian hat, of course.
The problem I have currently is that I don't know what the content or
severity of these releases is in advance of the day, and so can't prepare
and test packages satisfactorily ahead of the release. I also can't
guarantee how much spare capacity I have around that time.
If we knew in advance what was coming up, we could prepare packages and
release them immediately after the upstream release. For Debian at least,
we already have the infrastructure to build and test in advance and then
just hit 'go' when the time comes.
This would also give us more time to prepare and test backports to
older versions, such as the 1.15 we currently have in stable and will
have for at least the next 12 months.
I would envisage such advance disclosures being embargoed and encrypted,
naturally.
Thanks,
--
Jonathan Wiltshire jmw(a)debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
<directhex> i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits