From owner-freebsd-ports@FreeBSD.ORG Thu Aug 5 16:09:41 2004 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C1A16A4CF for ; Thu, 5 Aug 2004 16:09:41 +0000 (GMT) Received: from out006.verizon.net (out006pub.verizon.net [206.46.170.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5291743D60 for ; Thu, 5 Aug 2004 16:09:41 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.100.95]) by out006.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040805160940.POOM22385.out006.verizon.net@[192.168.1.3]>; Thu, 5 Aug 2004 11:09:40 -0500 Message-ID: <41125BBF.1020106@mac.com> Date: Thu, 05 Aug 2004 12:09:35 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrey Chernov References: <20040804190855.GA69872@iib.unsam.edu.ar> <2E7293C8-E656-11D8-91D1-003065ABFD92@mac.com> <20040805015904.GA27667@nagual.pp.ru> <41124F36.6080506@mac.com> <20040805152915.GA45293@nagual.pp.ru> <20040805154139.GA45715@nagual.pp.ru> In-Reply-To: <20040805154139.GA45715@nagual.pp.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out006.verizon.net from [68.161.100.95] at Thu, 5 Aug 2004 11:09:40 -0500 cc: FreeBSD Ports Subject: Re: update vulnerable libpng to fixed version? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 16:09:41 -0000 Andrey Chernov wrote: > On Thu, Aug 05, 2004 at 07:29:15PM +0400, Andrey Chernov wrote: >> Since CERT entry VU#388984 not points to any patch, I can only guess that >> this bug is fixed by official 0-11 patches I commit several hours ago. [ ... ] > "NOTE! This patch serves as demo purposes for the flaws only. An official > v1.2.6 libpng with an official, slightly different fix will be released by > the libpng team in parallel with this advisory." > > What is in 1.2.6 in that place is equal to 1.2.5 official patches. Patch > from CESA is not used. Perhaps CERT jumped the gun on releasing the advisory, before the libpng people had a chance to fully test 1.2.6? You seem to be suggesting so, and it wouldn't be the first time CERT has released something without full coordination with the authors. Anyway, if the issues identified in 1.2.5 are updated by patches which you're commiting today, so much the better. Thanks for responding so quickly. -- -Chuck