Bugs happen. Perhaps more unusual is that the two problems reported
today by Michal Zalewski were fixed nine or more months ago and
that the fixed code has been publically available all that time.

Number one was fixed as the accidental side effect of a code reorg.
Number two was fixed by an explicit bugfix (not thought to be
security related at the time).  Unfortunately, number two did not
feature in Michal's draft advisory that I worked off last week;
I'd happily have fixed some technical inaccuracies in his text.

This episode is a reminder that bugs don't necessarily go away even
when they are fixed.  Once the source code goes out the door you
no longer control what happens with it. The result is that people
can discover old fixed bugs in "brand-new" software.

This phenomenon is far from new. As someone told me in private
email, Robert Morris Sr. lamented that he personally had fixed some
of the security bugs in the UNIX utilities back in the late '70's,
but they were still being exploited almost 20 years later.

	Wietse