Re: util.c hole and speed of security patch release

[Randy Terbush <ra...@zyzzyva.com>]

> In reply to Jennifer Myers who said
> > 
> > 
> > Incidentally, I wrote to NASIRC yesterday (the originators of this
> > latest advisory) and they informed me that they noted the
> > presence of the same escape_shell_cmd() code in src/util.c as in
> > cgi-src/util.c, but did not examine the source code any further to
> > determine whether there was actually any vulnerability there.
> > (Seems that they really jumped the gun in posting the advisory.)
> 
> Exactly what I thought. Maybe we should ask them to post an addendum to
> allay all the unecessary fear they caused.
> 
> Undermines any credibility they have as a security alerting service.

I think there is good reason to contact them regarding this "alert".