May 19, 2004
2:17 a.m.
Hi John and Hi Barry.
John Dennis wrote:
On Sat, 2004-05-15 at 19:22, Barry Warsaw wrote:
This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sites upgrade to the latest version.
Could you be more specific about the exploit? Is there a CVE or CAN open against it? I assume given the public announcement this is not an embargoed security exploit, or is it?
The exploit is very easy for anyone who can view the source (and diff) with curiosity. So, we should send CVE/CAN ASAP, I think.
-- Tokio