> -----Original Message----- > From: Jim Arnott [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 10, 2002 8:09 AM > To: [EMAIL PROTECTED] > Subject: Bugs 14907, 15000 Security problems (bluesunrise) > > > Just a heads up... > > I assume someone reads this jetspeed-dev list, if not I'll post this > to jetspeed-user, later.
Not the most active list in the world. But we do get a lot of work done for a small team. You can see the list activity here: http://nagoya.apache.org/eyebrowse/SummarizeList?listId=22 > > These bugs are still there if bluesunrise is up to date. I just > gave myself > admin privileges and I can see everyone's e-mail address. Its a beta release. Stated very clearly. The bugs will be fixed before the final 1.4 Jetspeed release, which we hope to put out within a month or so. As Mark has pointed out, bug #14907 is a configuration issue. Please close the bug. I'll look into bug 15000 today. Looks like an easy fix. References are a fairly new feature and haven't been used much up until recently. Bluesunrise is an 'out-of-the-box' demo site. Its not a production site. Its just there for you to see Jetspeed running live and take it for a test run, thats it. It serves no other purpose. All accounts are deleted with every beta release. > > Did I place the bug reports in the wrong version? I just selected > the latest > from the menu. Sorry if I did. (they get posted to this list also) > > Jetspeed is useless with these security problems. I think you meant to say "useless to me". I don't find it useless, and neither do my clients. On all of my installations, we remove the User Admin functions from the deployment. We have our own admin forms for entering users, which do not use the controller with the security hole. There security hole is only with this one controller. My Jetspeed deployments have undergone in-depth and critical security reviews by third party security experts, and passed. > > Bluesunrise and everyone else, I would not place any of the latest version > on the net until these are resolved or at least warn those who login that > there accounts are open to world. No problem. I've just shutdown the bluesunrise site. I'll start it up again when bug #15000 is fixed. > > -jim > Reuters R&D > > Ya, I Know, what do you want for nothing. Thats a strange sig. I could be wrong, but some open source people may find it offensive. I don't find it offensive. I could care less if you see open source as nothing more than a place for you to come and get free software. But it does leave an impression. Regards, David -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
