I think we need to be clear about the support lifecycle for older
versions - I remember 3.0.x was being supported for a while when 3.1.x
was in use - I'm not sure if anyone has taken on 3.1.x support?
Debian 6.0 (squeeze) is carrying the 3.1.7 package.
http://packages.debian.org/search?keywords=ganglia-webfrontend
The Debian security team will accept a patch on that (e.g. a 3.1.8
release) - they won't accept other changes. For example, they won't
push out a 3.5.1 package to Debian 6.0 users.
Even when Debian 7.0 (wheezy) is released later this year, Debian 6.0 is
still supported by security updates for 1 year. How do people feel
about a 3.1.8 release? Is there anything else particularly urgent that
should be cherry-picked for such a release? Do other distros need 3.1.8
too?
Although 3.3.5 is listed on the page above, I'm going to push for 3.5.x
to be included in Debian 7.0 - that means it will be around for 3 years
from now. I think it is a good idea to have a branch for 3.5.x minor
updates so that security fixes for Debian and other distros can be
cherry-picked for such releases.
On 13/07/12 21:54, Vladimir Vuksan wrote:
> There is a security issue in Ganglia Web going back to at least 3.1.7
> which can lead to arbitrary script being executed with web user privileges
> possibly leading to a machine compromise. Issue has been fixed in the
> latest version of Ganglia Web which can be downloaded from
>
> https://sourceforge.net/projects/ganglia/files/ganglia-web/3.5.1/
>
> If you are running Ganglia Web open on the internet you are advised to
> upgrade ASAP or at a minimum password protect access to Ganglia Web.
>
> We'll have a write up about details of the vulnerability in few days.
>
> Sincerely,
>
> Vladimir
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ganglia-general mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ganglia-general
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ganglia-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
