-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Withers wrote: > Martin v. Löwis wrote: >> Martin v. Löwis <martin at v.loewis.de> added the comment: >> >>> So all Chris has to do to get this applied to 2.5 is craft an exploit based >>> on the current behavior, right? ;-) >> Right :-) Of course, security patches should see a much more careful >> review than regular bug fixes. > > Well, it's funny you say that, since where I bumped into this, the bug > was effectively DOS'ing a couple of mailservers as a result of > mailinglogger sending out log entries of uncaught exceptions such as > this and so emitting 100Mb emails whenever the foreign server chose not > to deliver the whole chunk requested... If it is possible for a hostile outsider to trigger the DOS by sending mail to be processed by an application using the library, and the application can't avoid the DOS without ditching / forking / monkeypatching the library, then I would call the bug a "security bug", period. As for backward compatibility: any application which is depending on getting arbitrarily-long lines in its logfile is already insane, and should be scrapped. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver at palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJsJOB+gerLs4ltQ4RAva/AKC2Ta0edNMxMLxXQM6+WsB4AKo10QCdFF58 ghfy8pT6VlrO0z0QoXnjL7o= =9lCT -----END PGP SIGNATURE-----
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4