On Fri, Mar 23, 2007 at 05:53:31PM +0100, Michael Buesch wrote: > On Friday 23 March 2007 17:13, Jean Tourrilhes wrote: > > value. It seems that it's too late for the next release of Debian or > > Fedora, > > Wtf? It's too late for a security fix? > How can it be too late for a security fix? Note that I was making a prediction. We'll see if I'm right. Let's not make blanket statements like this about security, security is all about level of risk, there are various level of "security issues" and you need to assign the proper level to this one. One one hand of the scale you have issues that allow remote penetration. Those require immediate attention. On the other end of the scale you have random information leaks. Those are clearly important, but clearly not in the same category. They don't allow remote penetration. They don't allow priviledge escalation. They don't allow denial of service. The 4 bytes leaked are comming from mostly random allocated buffers. The potential of exploitation is very limited. Both the Debian release and Fedora release are well into their respective freeze. In particular, the Debian kernel is frozen and won't change until release. With the amount of issues and open bugs those kernel packagers have, everything is prioritised, and many things in their queue tend to be ignored. The priority those maintainers will assign to this issue will mostly go along the lines outlined above. Risk of changes and potential regression versus risk of attack. This is why I made this prediction. > Greetings Michael. Jean - To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
