On 1/27/20 11:17 PM, Quanah Gibson-Mount wrote:
--On Monday, January 27, 2020 10:45 PM +0100 Michael Ströder michael@stroeder.com wrote:
On 1/27/20 10:19 PM, Quanah Gibson-Mount wrote:
To me, frequent releases generally indicate an immature, unstable, and buggy product. ;)
Are you sarcastic here?
No, not at all. [..] If we release every 2 weeks, but slapd core dumps 90% of the time, is that really better? Sure, the project looks more "active", but I wouldn't see that as a benefit/gain.
ITS#9124 is known since almost two months now and there's no upstream release with a fix. (And remember that I've tested RE24 branch revealing that the first fix was seg faulting.)
=> The OpenLDAP project needs more continuous testing to be able to provide quicker releases in such an emergency case.
Just being slower and leave such a security issue to packagers adding back-ports is not stable (for whatever definition of "stable").
Ciao, Michael.
P.S.: And yes, cyrus-sasl is even worse by not handling CVE-2019-19906 (first filed as ITS#9123).