* Brian Potkin [2014-02-27 16:22:57 +0000]: > It was remiss of me not to have pushed the initial report of the bug > upstream, but the str database was offline and I also had got it into my > head that upstream was not considering any further changes to 1.5.3. If > it is thought appropriate I could make amends for this lack of > judgement. :)
Would it be appropriate to backport the fix from 1.7.1? Any client-side fix is going to be difficult to deploy: the clients with a buggy IPP back-end may not even be running Debian. But it sounds like upstream doesn't have any server-side mitigation for this yet; maybe that's worth pointing out in an STR. (I'm not sure what countermeasures there could be; tarpitting of clients with excessive error rates, perhaps? In any case I'd look for something generic, that can protect from a whole class of accidental or deliberate DoS attacks.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
