
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <br>

    <br>

    <div class="moz-cite-prefix">On 8/27/2018 6:40 AM, Bron Gondwana

      wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:065a4d3f-b5af-4146-85f3-41e2eff01440@sloti22d1t06">

      <meta http-equiv="content-type" content="text/html; charset=utf-8">

      <title></title>

      <style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>

      <div style="font-family:Arial;">On Mon, Aug 27, 2018, at 09:49,

        Dilyan Palauzov wrote:<br>

      </div>

      <blockquote type="cite" id="fastmail-quoted">

        <div style="font-family:Arial;">Hello,<br>

        </div>

        <div style="font-family:Arial;"><br>

        </div>

        <div style="font-family:Arial;">isn't it time to update the

          Cyrus Bylaws  <br>

        </div>

        <div style="font-family:Arial;"><a class="moz-txt-link-freetext" href="https://www.cyrusimap.org/overview/cyrus_bylaws.html">https://www.cyrusimap.org/overview/cyrus_bylaws.html</a>

          ?<br>

        </div>

      </blockquote>

      <div style="font-family:Arial;"><br>

      </div>

      <div style="font-family:Arial;">Perhaps.  This is the first time

        it's been raised in my memory, at least since we last updated

        them.  We do have a plan to update code licensing and possibly

        rehome the websites and copyrights, since CMU no longer have a

        strong interest in maintaining the project.<br>

      </div>

      <br>

      <blockquote type="cite" id="fastmail-quoted">

        <div style="font-family:Arial;">Are the concerns raised recently

          by Quanah the only blockers for cyrus  <br>

        </div>

        <div style="font-family:Arial;">sasl 2.1.27 and what reasons

          prevent releasing cyrus sasl 2.1.27  <br>

        </div>

        <div style="font-family:Arial;">within two months?<br>

        </div>

      </blockquote>

      <div style="font-family:Arial;"><br>

      </div>

      <div style="font-family:Arial;">I will leave this for Ken to

        answer, as SASL is more his department.  I believe the blockers

        were waiting on testing to ensure there wasn't any regression -

        the cyrus-sasl code doesn't have a comprehensive test suite.<br>

      </div>

      <div style="font-family:Arial;"><br>

      </div>

      <div style="font-family:Arial;">Regards,<br>

      </div>

      <div style="font-family:Arial;"><br>

        Bron.<br>

      </div>

      <div style="font-family:Arial;"><br>

      </div>

      <div style="font-family:Arial;">--<br>

      </div>

      <div id="sig56629417">

        <div class="signature">  Bron Gondwana, CEO, FastMail Pty Ltd<br>

        </div>

        <div class="signature">  <a class="moz-txt-link-abbreviated" href="mailto:brong@fastmailteam.com">brong@fastmailteam.com</a><br>

        </div>

      </div>

    </blockquote>

    I would like to see something official about handling

    vulnerabilities.  That ref count leak I found should have been

    handled as a CVE -- the CVE -organization person did email me and

    admit he had dropped the ball,  he was notified and never got back

    to libsasl folks.  I can see that for a<br>

    low-CVSS-score vulnerability (the attack required login to the

    affected machine) but someday a buffer overflow may turn out to be a

    high-score vulnerability.<br>

    <br>

    I'll look for that old email, but I'm not sure what to search on.<br>

    <br>

    Thanks,<br>

    Jan<br>

    <pre class="moz-signature" cols="72">-- 

Jan Parcel, Software Developer

Oracle Systems Server & Cloud Engineering</pre>

  </body>

</html>