[FFmpeg-devel] FFmpeg vulnerability #1

[Michael Niedermayer]

On Thu, Jan 29, 2009 at 10:44:55AM +0100, Tobias Klein wrote:
> Just wanted to let you know that I released my advisory.

Good, now please fix the History to match the truth

it currently says:
Patch development time: 3 days
...
  2009/01/25 - FFmpeg maintainers notified
  2009/01/27 - Patch developed by FFmpeg maintainers
  2009/01/28 - Public disclosure of vulnerability details by FFmpeg 
               maintainers
  2009/01/28 - Release date of this security advisory

its an outright lie that we where notified on the 25th
your mail that _asked_where_to_ you should send the information was sent
on the 25th, it was stuck in your mailservers for 2 days as ive already told
you:
Received: from mo-p00-fb.rzone.de (EHLO mo-p00-fb.rzone.de) [81.169.146.163]
        by mx0.gmx.net (mx012) with SMTP; 27 Jan 2009 00:06:02 +0100
Received: from mo-p00-ob.rzone.de (fruni-mo-p00-ob.mail [192.168.63.71])
        by charnel-fb-03.store (RZmta 18.10) with ESMTP id i05ae6l0PC9eTZ
        for <michaelni at gmx.at>; Sun, 25 Jan 2009 14:41:59 +0100 (MET)
besides this was a mail asking where to send the vuln info to not anything
that would even have hinted in what part of ffmpeg the issue is, id hardly
call that "notified"
the actual info was sent from you to me Tue, 27 Jan 2009 20:51:13 +0100
i sent you the patch Tue, 27 Jan 2009 22:42:15 +0100
and could have commited it at once but was waiting for you to reply
Thats not what i would be calling 3 days

Anyway, besides calling 2 hours, 3 days iam of course thankfull
about any vuln found.

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct awnser.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20090129/a17a8c3f/attachment.pgp>