Re: [Nano-devel] New prerelease for security tweaks

[Chris Allegretta]

On Fri, Apr 9, 2010 at 11:16 AM, Chris Allegretta <address@hidden> wrote:
> On Thu, Apr 8, 2010 at 10:14 AM, Jordi Mallach <address@hidden> wrote:
>> On Wed, Apr 07, 2010 at 11:25:43AM -0400, Chris Allegretta wrote:
>>> As you're a downstream maintainer, if you or Mike or another
>>> maintainer are stongly in favor of an official release sooner rather
>>> than later, with the caveat that we'll be missing one translated
>>> string fromt the release, I'm fine with it.  This isn't the type of
>>> string that anyone is going to see normally anyway.
>>
>> Not at all. I think the (normal) schedule you proposed is more than ok.
>> I'll try to get the fix in Ubuntu 10.04 LTS though. There's no urgency
>> for Debian right now. :)
>
> Alright, Dan (the fine gentleman who found these issues) sent me a
> patch with a better fix for the backup file code, which I was able to
> work into something that no longer requires the strings to change.
>
> I put up a new test tarball using those fixes at
> http://www.nano-editor.org/dist/test/nano-2.2.4pre3.tar.gz if anyone
> is interested in testing it out.  I'm going to eat my own dog food
> with this version over the weekend and then will consider a release.

Mike F found some issues with speller file handling, which uncovered
some more issues with how we were handling current_stat.  I made up a
new tarball based on those fixes, and in the interim it's available at

http://www.nano-editor.org/dist/test/nano-2.2.4pre4.tar.gz

Mr Rosenberg actually posted a notice to the OSS security folks (I was
going to wait until after the official release but that's trivia at
this point), so we'll see whether there are CVEs assigned for the
issues, so I can denote them in the ChangeLog and make the official
release if/after those numbers are assigned, and assuming no further
issues are discovered with the latest test tarball.