On Thu, Jul 14, 2005 at 07:43:35AM -0400, Jeff Trawick wrote: > I'm so confused while trying to draw the line between > > alternate RFC-compliant philosophy > fixes for actual RFC violations > fixes for security issues > > I think CHANGES should be crystal clear on what change has a security > implication.
I am also confused and still trying to catch up and understand these changes... Bill, can you please describe *exactly* what security issues you see in the 2.0 proxy after the two already-committed patches (r219061). CAN-2005-2088 MUST NOT be used to refer to anything other than specific issue described in the WatchFire report. When you start bandying this CVE reference around with each new patch it defeats the purpose of having a CVE reference in the first place. If there are wider issues in the proxy then they will need new CVE names assigned. Regards, joe
