Boost logo

Boost :

Subject: [boost] Security bugs policy
From: Artyom Beilis (artyomtnk_at_[hidden])
Date: 2012-12-22 16:15:12

Hello, I would like to know if there is any policy about security bug fixes, updates or releases. What I'm talking about. Consider a security related bug discovered in boost library. For example: For example recently reported bug in Boost.Locale that will be fixed in 1.53 I consider it security bug as an application that validates the input (checks if it is UTF-8) may accept an invalid sequence. Or very critical bug in UUID (fixed in 1.43): That any application that used them may be target to UUID guessing. These kind of bugs in general should be considered critical and somehow published, it may be also important to backport the fixes to stable releases, because not everybody can move forward and they may need to stick with older releases (as Boost is neither ABI nor API backward compatible even between minor releases).   Annoucements of such bugs may be critical for example for stable Linux distributions that ship some older Boost versions and likely need to backport such bug fixes to their own boost tree because Boost doesn't do it. Questions: - Do we have any policy about it? - If not we probably need one including backporting of security bug fixes to stable releases. What brings me to other issues... Should Boost support older releases with critical bug fixes/security bug fixes? For how long time? Artyom Beilis -------------- CppCMS - C++ Web Framework: CppDB - C++ SQL Connectivity:

Boost list run by bdawes at, gregod at, cpdaniel at, john at