On 8/29/2011 3:31 PM, Stefan Fritsch wrote: > > Jim offered to RM 2.2.20, but I don't know what timezone he is in. If > 2.2.20 doesn't happen today, it may be good to publish the patch in an > update to the advisory. But I am in the wrong timezone for that ;-)
If byterange_filter.c to 2.2.x branch is baked and closes the vulnerability, it seems prudent to backport this now and also publish both immediately, 2.2.20 can't happen without the whole release vote. If anyone envisioned publishing 2.0 for this issue, we would further have to T&R apr 0.9.20 to close the fnmatch issue on that version, adding another day or three to that release cycle. We are a patch-y server, and publishing something seems overdue.
