"Karsten Hopp" <[EMAIL PROTECTED]> writes: > Does anybody know if the security vulnerabilities CAN-2004-1487 and > CAN-2004-1488 will be fixed in the new version ?
Yes on both counts. > There seems to be at least some truth in the reports (ignore the > insulting tone of the reports). > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1487 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1488 I've read them. The first one is fairly improbable because it requires special DNS setup for ".." to resolve to an IP address. The second one poses a real problem, which I simply never considered. I'm not sure if either issue is critical enough to warrant a 1.9.2 release. The proximity of 1.10, which fixes both problems, makes it unnecessary.
