hi,
So they still distribute 3.0.12, but with everything fixed.
no. not everything fixed. everythign fixed would be eg 3.0.15 - I still dont understand why they dont just upgrade the version rather than do backports.
This way of incorporating security-related bug fixes into source is interesting in a number of ways: - Sometimes it's simpler: For the TLS-Cache issue with 3.0.12, they simply changed the default config by removing the entire cache {} section from the eap config file. --> quick, simple, and non-disruptive (could only hamper performance in special cases)
ummm, okay - so for any sites doing lots of EAP, performance sucks. those people then come to the list and we tell them to 'just enable the cache option in eap module - et voila! now server insecure because the version in use was not patched! their solution is awful! :(
- For the fuzzing issues found in 3.0.14, they incorporated the fixes into their 3.0.12 source tree -- but it took them 11 days in this case. This includes extensive tests, though.
..why not just use 3.0.14? what a waste of their time/resources . :/ sorry, if someone says they are using 3.0.12 then I can only assume its the same code as I know/see - if someone else has been playing around with it, removing things, changing things then who knows what else is broken or not working? fundamentally, there are more issues/errors than just some security issues - theres a reason why 3.0.15 exists, for example, and why we say people should use it - many other things , many other fixes/features. no break on upgrade. alan