[FFmpeg-devel] FFmpeg vulnerability #1
Thu Jan 29 21:39:27 CET 2009
On Thu, Jan 29, 2009 at 10:44:55AM +0100, Tobias Klein wrote:
> Just wanted to let you know that I released my advisory.
Good, now please fix the History to match the truth
it currently says:
Patch development time: 3 days
2009/01/25 - FFmpeg maintainers notified
2009/01/27 - Patch developed by FFmpeg maintainers
2009/01/28 - Public disclosure of vulnerability details by FFmpeg
2009/01/28 - Release date of this security advisory
its an outright lie that we where notified on the 25th
your mail that _asked_where_to_ you should send the information was sent
on the 25th, it was stuck in your mailservers for 2 days as ive already told
Received: from mo-p00-fb.rzone.de (EHLO mo-p00-fb.rzone.de) [220.127.116.11]
by mx0.gmx.net (mx012) with SMTP; 27 Jan 2009 00:06:02 +0100
Received: from mo-p00-ob.rzone.de (fruni-mo-p00-ob.mail [192.168.63.71])
by charnel-fb-03.store (RZmta 18.10) with ESMTP id i05ae6l0PC9eTZ
for <michaelni at gmx.at>; Sun, 25 Jan 2009 14:41:59 +0100 (MET)
besides this was a mail asking where to send the vuln info to not anything
that would even have hinted in what part of ffmpeg the issue is, id hardly
call that "notified"
the actual info was sent from you to me Tue, 27 Jan 2009 20:51:13 +0100
i sent you the patch Tue, 27 Jan 2009 22:42:15 +0100
and could have commited it at once but was waiting for you to reply
Thats not what i would be calling 3 days
Anyway, besides calling 2 hours, 3 days iam of course thankfull
about any vuln found.
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
There will always be a question for which you do not know the correct awnser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
More information about the ffmpeg-devel