On 24 Jul, Don Lewis wrote:
> At a minimum, we should publish the hash values of buggy and fixed
> versions of the library. That might not help someone who builds and
> installs from source since the build not be completely repeatable.
> For instance the library might contain a timestamp.
Adding a static string "CVE-2016-1513 Fixed" to the source is another
possibiliy. On *nix, the user/administrator can run:
strings whatever.so | grep CVE
and look for the above to verify that the fixed library has been
installed. Someone would have to figure out how to do the equivalent on
Windows.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
