Jonathan,
I'm definitely open to working with debian to find a way to get you early access. We've guessed that was something some distributions would like, but I haven't worked with each distro to figure out their needs yet. Thanks for bringing the subject up.
For the March 4th release, I get a CVSS score of 1.8 and 3.5 for the non-public bugs (if you have another preferred webapp scoring system, I'm happy to generate a score for you). Additionally, already publicly in the release branches are patches to pass '2' to CURLOPT_SSL_VERIFYHOST instead of 'true' for outbound curl connections.
Hope that helps!
Chris
On 03/02/2013 12:50 PM, Chris Steipp wrote:
I'm definitely open to working with debian to find a way to get you early access. We've guessed that was something some distributions would like, but I haven't worked with each distro to figure out their needs yet. Thanks for bringing the subject up.
Sorry, I missed this before I sent my email.
Hi,
On 2013-03-02 17:50, Chris Steipp wrote:
I'm definitely open to working with debian to find a way to get you early access. We've guessed that was something some distributions would like, but I haven't worked with each distro to figure out their needs yet. Thanks for bringing the subject up.
I'd rather like to re-visit this. In the short term, would you be happy to disclose the forthcoming advisory and patches for 3rd September to our security team, with their GPG key, for them to disseminate as appropriate? At a minimum could you send on the proposed advisory text so we can do an assessment?
In the long run getting early access to patches would be really helpful for preparing packages we can release when embargoes are lifted.
Thanks,
mediawiki-distributors@lists.wikimedia.org