[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian glibc security update

Branden Robinson <branden@debian.org> writes:

> http://lwn.net/2002/0117/security.php3
>
> "Debian took two months to distribute a fix for a glibc buffer overflow
> vulnerability. This week's glibc updates from Debian and Slackware
> distribute a fix for the problem about two months after the first update
> from Red Hat on December 14th."
>
> I don't know what calendar the LWN editorial staff uses, but where I
> live, the duration from December 14th to January 13th (the day the
> Debian security advisory was released), more closely resembles one month
> than two.  (I would agree that falling behind even Red Hat is pretty
> damning in the public eye, though.)

The vulnerability was know before 2001-11-29 (IIRC); that day, the fix
was committed to the public GNU libc CVS at anoncvs.cygnus.com
(nowadays Red Hat).

> Perhaps your point would be better taken if your arithmetic were more
> accurate?

I don't know when Debian was notified of the problem, but it was
probably before 2001-12-14.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
Reply to: