[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS 1.11.5 Released <strong>(Security Update)</strong>
|
From: |
Paul Edwards |
|
Subject: |
Re: CVS 1.11.5 Released <strong>(Security Update)</strong> |
|
Date: |
Tue, 21 Jan 2003 14:02:30 GMT |
"Derek Robert Price" <derek@ximbiot.com> wrote in message
news:mailman.647.1043101220.21513.bug-cvs@gnu.org...
> Without going into too much detail, the vulnerability allows read-only
> CVS users to execute arbitrary code as the user the CVS server
> executable is running as.
Can you tell me whether these bugs are generally being introduced
by enhancements, or whether they are long-standing bugs, recently
uncovered?
I was wondering if rather than every release replacing one set
of bugs with another set of bugs, we could have a particular
version (maybe starting with 1.11.5), which will be continually
updated, with bug fixes only, even when version 1.14.17 has
just been released.
Basically have a version of CVS that is bug-free as far as anyone
knows.
And repeat this process every 4 years, so that the "genuinely"
stable version is eventually updated. But those who want the
features only made available in the last 4 years are not
impacted at all. But any bug fixes found, are retrofitted into
the last stable version.
Is this feasible?
BFN. Paul.