On 02/17/2016 02:50 AM, Marcus Meissner wrote:
Updates are being prepared and will likely be published today.
Really, this raises a couple of questions" 1. It was introduced in 2008. How come? Did not-one review the code change and see the buffer overflow back then? 2. It wasn't detected until now. How come? Has no-one reviewed the code since then? Its not as if this is a rarely used piece of code in an application used by only a few people to add eye-candy to a desktop! This is core Internet handling code! <quote> To the surprise of the Google researchers, they soon learned that glibc maintainers had been alerted to the vulnerability last July. </quote> and later <quote> It remains unclear why or how glibc maintainers allowed a bug of this magnitude to be introduced into their code, remain undiscovered for seven years, and then go unfixed for seven months following its report. By Google's account, the bug was independently uncovered by at least two and possibly three separate groups who all worked to have it fixed. It wouldn't be surprising if over the years the vulnerability was uncovered by additional people and possibly exploited against unsuspecting targets. </quote> And only *NOW* is it considered to be a serious issue and hurry up and fix it. What was that about woodpeckers ... Ah yes, Gerry Weinberg attributed with the quote in: Murali Chemuturi (2010) Mastering Software Quality Assurance: Best Practices, Tools and Technique for Software Developers. p. ix This http://cafbit.com/entry/reinventing_software_for_security attributes many of the problems we have with 'memory' wrt secuyrity to the use of C and C++. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org