On 1/27/20 11:17 PM, Quanah Gibson-Mount wrote:
--On Monday, January 27, 2020 10:45 PM +0100 Michael Ströder
> On 1/27/20 10:19 PM, Quanah Gibson-Mount wrote:
>> To me, frequent releases
>> generally indicate an immature, unstable, and buggy product. ;)
> Are you sarcastic here?
No, not at all. [..] If we release every 2 weeks, but slapd core
dumps 90% of the time, is that really better? Sure, the project
looks more "active", but I wouldn't see that as a benefit/gain.
ITS#9124 is known since almost two months now and there's no upstream
release with a fix. (And remember that I've tested RE24 branch revealing
that the first fix was seg faulting.)
=> The OpenLDAP project needs more continuous testing to be able to
provide quicker releases in such an emergency case.
Just being slower and leave such a security issue to packagers adding
back-ports is not stable (for whatever definition of "stable").
P.S.: And yes, cyrus-sasl is even worse by not handling CVE-2019-19906
(first filed as ITS#9123).