[Mailman-Developers] Imminent release of a Mailman security fix.
Richard Damon
Richard at Damon-Family.org
Mon Aug 22 06:44:17 EDT 2016
On 8/22/16 5:31 AM, A. Schulze wrote:
>
> Mark Sapiro:
>
>> There is a CSRF vulnerability ...
>> I have developed a fix...
>> I'm delaying the release ...
>
>
>
> Hello,
>
> don't understand why you wait? Yes some people may need time to plan a
> update.
> But there are also people not needing such plan. They could use the
> patch just now.
>
> But maybe you have your reason to do it in that way.
> Anyway: thanks for mailman :-)
>
> Andreas
>
>
The normal procedure for security updates in the software industry is an
advanced announcement so people can plan, and then a release at a
specified time point, so people can plan to update right then if possible.
The issue is that the security flaw is normally not generally not know,
and releasing the patch sometimes gives enough information to allow
someone to figure out the security flaw and to exploit it in a short
while, so you want people to be able to rapidly apply the update before
that happens.
--
Richard Damon
More information about the Mailman-Developers
mailing list