Tony Collen wrote:
Joerg Heinicke wrote:
http://www.securiteam.com/securitynews/6W00L0U8KC.html
Hey, someone wanted to test the Cocoon community :-)
Joerg
Hm, I think we should consider releasing 2.1.3 as a security update.
+1 I thought Carsten had already proposed a date because of the Gettogether improvements?
In this case, do we have any procedure for fixing something "bad" like the directory traveral bug, and getting a fix out to users in a timely fashion?
One possible solution: Fix the problem in CVS HEAD, and then backport it to the last released version (in this case 2.1.2), and make a small security update release -- maybe as 2.1.3 or 2.1.2pl1 or something.
Even though the problem isn't that bad since it's in a sample, something may come down the road later where we have to fix something of a more serious nature, and get a new version out. Waiting for a freeze/release cycle might be too long if the problem is urgent enough.
Thoughts?
Tony
