Re: Debian glibc security update
Branden Robinson <branden@debian.org> writes:
> http://lwn.net/2002/0117/security.php3
>
> "Debian took two months to distribute a fix for a glibc buffer overflow
> vulnerability. This week's glibc updates from Debian and Slackware
> distribute a fix for the problem about two months after the first update
> from Red Hat on December 14th."
>
> I don't know what calendar the LWN editorial staff uses, but where I
> live, the duration from December 14th to January 13th (the day the
> Debian security advisory was released), more closely resembles one month
> than two. (I would agree that falling behind even Red Hat is pretty
> damning in the public eye, though.)
The vulnerability was know before 2001-11-29 (IIRC); that day, the fix
was committed to the public GNU libc CVS at anoncvs.cygnus.com
(nowadays Red Hat).
> Perhaps your point would be better taken if your arithmetic were more
> accurate?
I don't know when Debian was notified of the problem, but it was
probably before 2001-12-14.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Reply to: