Hi all
another point on security: some of issues that has been fixed in "normal" release do not have security announcement, this should be also fixed.
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs] Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9 Branch: MAIN Branch point for: QA_2_6_4 Changes since 2.25: +2 -2 lines Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
Michal Čihař a écrit :
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs] Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9 Branch: MAIN Branch point for: QA_2_6_4 Changes since 2.25: +2 -2 lines Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
Thanks, I'll write one.
Marc
Hi
On Wed 23. 11. 2005 01:53, Marc Delisle wrote:
Thanks, I'll write one.
You mean for current one or for the old one? :-)
Marc Delisle a écrit :
Michal Čihař a écrit :
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs] Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9 Branch: MAIN Branch point for: QA_2_6_4 Changes since 2.25: +2 -2 lines Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
Thanks, I'll write one.
Marc
I counted 2 others, so I issued an alert for those 3 problems.
Regarding the new one you just fixed, was it present in 2.6.4?
Marc
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
I counted 2 others, so I issued an alert for those 3 problems.
We should also handle in same announcement the new one I sent recently. It looks to me like it is still not fixed...
Regarding the new one you just fixed, was it present in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented to be from 2001/25/11...
Michal Čihař a écrit :
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
I counted 2 others, so I issued an alert for those 3 problems.
We should also handle in same announcement the new one I sent recently. It looks to me like it is still not fixed...
The one from debian? I think you fixed it with * libraries/.htaccess: Deny access to libraries folder over HTTP.
But I would put it in a new announcement, along with the one concerning HTTP_HOST, since they are both fixed in 2.7.0.
Regarding the new one you just fixed, was it present in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented to be from 2001/25/11...
Instead of a backport to QA_2_6_4, I suggest to wait for 2.7.0's release for an announcement.
Marc
Hi
On Thu 24. 11. 2005 08:19, Marc Delisle wrote:
Michal Čihař a écrit :
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
I counted 2 others, so I issued an alert for those 3 problems.
We should also handle in same announcement the new one I sent recently. It looks to me like it is still not fixed...
The one from debian? I think you fixed it with
- libraries/.htaccess: Deny access to libraries folder over HTTP.
This doesn't allow us to ignore holes in libraries and will be in 2.7.1, so 2.7.0 is still affected. I'll include that patch.
But I would put it in a new announcement, along with the one concerning HTTP_HOST, since they are both fixed in 2.7.0.
Regarding the new one you just fixed, was it present in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented to be from 2001/25/11...
Instead of a backport to QA_2_6_4, I suggest to wait for 2.7.0's release for an announcement.
Okay for me.
On Mon 21. 11. 2005 01:14, Michal Čihař wrote:
another point on security: some of issues that has been fixed in "normal" release do not have security announcement, this should be also fixed.
Eh, I just found one :-). XSS in index.php on HTTP_HOST...
-
Marc Delisle -
Michal Čihař