> I do hope a lot of the work gets ported to other distributions so it is in common use.
Not only to other distributions, but also to upstreams (for software that we package). Both of these things have been happening throughout the 10 years (individual pieces and concepts got into "base systems" of ALT Linux, Mandriva, FreeBSD, DragonFly BSD, OpenBSD; other Openwall software is also packaged for all major Linux distros and *BSDs; many of our patches got into upstream repositories/versions of software that we package), but we still do have more stuff to "export" - and we're trying to.
It was in Netscape (at least 3.0 through Mozilla M15 which was current at the time I found the bug in 1999). And that bug was patched in response to my report in Netscape and Mozilla in 2000. I then published the advisory.
Apparently, Microsoft independently introduced the same bug into their code around two years later. It was reported to them in 2003, and we saw them fix and announce it now.
Slashdot Mirror
> I do hope a lot of the work gets ported to other distributions so it is in common use.
Not only to other distributions, but also to upstreams (for software that we package). Both of these things have been happening throughout the 10 years (individual pieces and concepts got into "base systems" of ALT Linux, Mandriva, FreeBSD, DragonFly BSD, OpenBSD; other Openwall software is also packaged for all major Linux distros and *BSDs; many of our patches got into upstream repositories/versions of software that we package), but we still do have more stuff to "export" - and we're trying to.
The flaw is not and never was in the IJG library.
It was in Netscape (at least 3.0 through Mozilla M15 which was current at the time I found the bug in 1999). And that bug was patched in response to my report in Netscape and Mozilla in 2000. I then published the advisory.
Apparently, Microsoft independently introduced the same bug into their code around two years later. It was reported to them in 2003, and we saw them fix and announce it now.