Michael Krax wrote:
The patches were checked-in into public CVS. People creating malware follow
CVS updates closely and know everything they need based an the patch and
comments.
If something goes into public CVS i consider it therefore public and it
should be adressed by an advisory as soon as possible.
I'd say that's fair enough.
I have no problem with keeping and unpatched bug a secret. I kept #260560
secret for 3 months before releasing a public advisory - and requested
multiple status reports before (with no success). But silent CVS check-ins
are just security by obscurity.
Thank you for your responsible attitude :-)
Gerv
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
