In message: <20031004021041.GA33705_at_pit.databus.com> Barney Wolff <barney_at_databus.com> writes: : On Fri, Oct 03, 2003 at 06:54:04PM -0700, Will Andrews wrote: : > On Fri, Oct 03, 2003 at 09:45:27PM -0400, Barney Wolff wrote: : > > I'm finally motivated to ask, why don't security advisories contain : > > the equivalent revs for -head? Surely I can't be the only person : > > following -current who doesn't build every day. : > : > Simply because the SO does not support -CURRENT. : : Does this mean that the situation can ever arise where a security bug : is corrected in the advisory's announced releases but not in -current? Typically yes. However, see below. : Or, can we assume that as of the time of the security announcement : the vulnerability has *always* been corrected in -current? Standard operating proceedure is to commit to head, then to the branches. However, it is theoretically possible that a bug exists in current that is exploitable in the same way that an advisory addresses. I think we've had this issue only once in the project's history. The code was in the kernel and the then-current -current was so different from stable that patches to stable didn't fix the problem on current and it took a while to realize that there was a problem and to fix it. WarnerReceived on Fri Oct 03 2003 - 21:26:06 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:24 UTC