Avoiding Future Security Bug Regressions
Max Kanat-Alexander
mkanat at bugzilla.org
Thu Feb 5 18:18:41 UTC 2009
On Thu, 5 Feb 2009 10:19:59 -0600 Bradley Baetz <bbaetz at acm.org> wrote:
> What we could have done is to put out an rc, with the promise that the
> only difference to the final would be any regression fixes from the
> security patch (and the version number bump).
I think that would be confusing and difficult, since that would
be two release processes, and we don't have any mechanisms in place to
have RCs of point releases.
> Admins on public
> instances could have upgraded and would have been no worse off, while
> internal/less critical installations could have waited.
In this particular case public instances would have been much
worse off--private attachments were accessible with a predictable token
when before they were secure. All existing CSRF protection was
defeated. Internal installations were always fine.
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list