On Sun, Sep 04, 2005 at 04:48:22PM -0400, Joey Hess wrote: > > Regarding that bug, I've been searching all slash CVS tree and mailing > > lists but I wasn't able to find this patch everyone is referring to > > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160579;msg=42). > > AFAICT no security fix was mad available separately. > > Noone said a fix was made available separately. If you read the URL I posted > in my first message to this bug report you can see the following response > from the slashcode authors: > > http://marc.theaimsgroup.com/?l=bugtraq&m=103238514720237&w=2 > > The code changes we have made are as follows: > > (1) even unsuccessful login attempts, using the URL format > we provide, will be given a 302 Redirect to remove the > username and (wrong) password from the query string; > > (2) Slash sites which use our code now must set a variable > if they want to offer the "totally insecure" option to > their users; by default, for current sites and new > sites, it will be off. > > These code changes are in CVS now and will be on slashdot.org soon. >
Obviously I read your first message _and_ the URL you sent me. Reposting that doesn't help in any way. I said in a previous message that I skimmed through the whole CVS tree and was unable to isolate the changes mentioned above. Pointing me to the same URL again and again won't help us solve that bug. Please rather post a patch or, if you don't have one, a pointer to the useful changes in the CVS tree would be appreciated. Best regards, -- Eric VAN BUGGENHAUT [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
