-----BEGIN PGP SIGNED MESSAGE----- Thomas Biege wrote: > Hello, > Alan T. DeKok added some patches to the freeradius > CVS based on a report from us. There are only minor bugs like some file > descriptors may not be closed, a off-by-one, a possible LDAP injection, > and maybe some more things he'll like to add. > > Unfortunately he doesn't want to negotiate a coordinated release date. This statement misrepresents our position, which we have previously articulated to Suse: (1) We are prepared to coordinate a public statement about the issues raised by Suse. (2) We have analyzed the issues raised by Suse, and we believe that the issues are minor, and not externally exploitable. (3) We believe a coordinated release is not necessary for minor bug fixes that have little or no customer impact. Saying we don't "want" to negotiate a coordinated release date is inappropriate, and contradicts our previous statements to Suse. As background, Suse informed us privately of the issues, and asked us to coordinate a release date. We examined the issues they raised, and determined that they did not have the severity claimed by Suse. We then decided that a coordinated release date was not necessary, and informed Suse of this. Further, we had substantial technical concerns with the report (66% false positive rate, among others), which we raised with Suse. To this date, Suse has not responded in any way to our concerns. We are disappointed that Suse has felt it necessary to misrepresent our position in a vendor forum. If anyone is interested in our full response to Suse's report, please email me privately at Alan DeKok. Project Leader, The FreeRADIUS Server Project -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQCVAwUBQx8qC6kul4vkAkl9AQFqVQP/VmbM5I2R+pqSTf7QW3oPkqbcLMDhB0jn nid2C7PlqC38ZM4QyMYDhXaO0rcFTnfVMFCRa5iV64kuevYFyxfEixZoOtH+9iOs D+a/3lh0iAPfBO65eh6MCijy3SL6v+X/Cn+E9Ca+ErtQ2T3bi/eG1ro7VxuVu+Yb FuFTo/1Lrn4= =u6Wz -----END PGP SIGNATURE-----