On Sun, 2007-10-21 at 14:03 -0400, William L. Thomson Jr. wrote: > On Sun, 2007-10-21 at 17:41 +0100, Mark Thomas wrote: > > William L. Thomson Jr. wrote: > > > I take it down streams should run with the first patches to work around > > > this vulnerability till next release. I already applied the one liner, > > > kinda glad I did not apply the other last night ;) Please advise, > > > thanks. > > > > You need a version of the second patch for a complete fix. If you want > > logging - apply my version, if you don't - apply Remy's. Both fix the > > problem, just in slightly different ways. > > > > We'll have to wait and see which way the voting goes for which patch > > gets incorporated into the code base. > > That's what I am interested in, and willing to wait a bit for. Don't > want to appear to be taking sides or adding in my own opinion based on > which one to apply/go with or not. Prefer to stick with what ever > direction upstream goes in and/or recommends. >
For what it's worth, I am thinking logging might be best. Mostly because to my understanding one must be authorized in webdav or etc to be able to exploit the vulnerability. So it's more of an attack from within, and IMHO it's even more important to log those. It's one thing to be attacked from the outside world, but being attacked from within can be worse. Since in theory they are trusted to a point. Either way I do agree with the other post on being consistent with other projects. -- William L. Thomson Jr. Gentoo/Java
signature.asc
Description: This is a digitally signed message part
