Juliusz, thank you for looking into this.
On 15.03.2014 23:31, Juliusz Chroboczek wrote: >>>> commit 0e2b44af619e46e365971ea52b97457bc0778cd3 >>>> Author: Christopher Davis <[email protected]> >>>> Date: Mon Jan 11 18:55:41 2010 -0800 > >>> That's full of bugs. That commit was released to Debian by Moritz Mühlenhoff to fix CVE-2011-3596. I've only become polipo maintainer after this happened and I never looked into the problem itself or the patch. I'm sorry, but an unspecific "that's full of bugs" coupled with some random commit ID isn't going to trigger "I need to look into this" here. I simply overlooked this, so the rather aggressive tone by Mr Kerneis is simply uncalled for. I came late to this CVE-2011-3596 party so I asked Moritz, to get more information, but he doesn't remember too many details. He acted as Debian security staff without any deeper involvement or knowledge about polipo or what it does. His last reply to me ended in "If upstream dislikes the patch, you should consider dropping it since they have the best knowledge of the code base" (translation by me). > Would somebody be so kind as to tell me what this is supposed to fix? > If it's simply the inability of the local interface to deal with > Expect:continue, I can put a quick workaround. Even though I tried to get you that information, it seems that nobody could tell you anything else from what is already publicly available. https://bugs.debian.org/644289 http://seclists.org/fulldisclosure/2011/Oct/10 https://security-tracker.debian.org/tracker/CVE-2011-3596 I will CC this message to the author of the patch, maybe he can shed some light on his approach. It would be nice to see some kind of fix for this, but I agree the security implications of this are fairly minor. Regards Rolf ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Polipo-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/polipo-users
