Ola Lundqvist wrote:
I haven't managed to find any more bugs relating to this particular
security hole that isn't fixed by the previous patch in this bug
report. kronolith seems to be fairly badly coded wrt security
issues though. I'd suggest depreciating kronolith1 and forcing
On Thu, Feb 09, 2006 at 10:47:28AM +0100, Martin Schulze wrote:
Ola Lundqvist wrote:
I'd suggest depreciating kronolith1 and forcing people on to
kronolith2, whcih although only a little better, is actually
supported upstream.
The problem is that kronolith2 depends on version 3 of the horde
Lionel Elie Mamane wrote:
The problem is that kronolith2 depends on version 3 of the horde
framework (rather than version 2), that the two versions of horde
cannot meaningfully cooperate and there are still some horde2
applications that have not been ported to horde3. Basically,
upstream
On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
Neil McGovern wrote:
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
Lionel Elie Mamane wrote:
I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in
On Sun, Jan 29, 2006 at 06:15:23PM +, Neil McGovern wrote:
On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
Neil McGovern wrote:
A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
on, however, the app requires REGISTER_GLOBALS :|
I'll do an audit of the code
Hello
On Sun, Jan 29, 2006 at 09:33:12PM +0100, Lionel Elie Mamane wrote:
On Sun, Jan 29, 2006 at 06:15:23PM +, Neil McGovern wrote:
On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
Neil McGovern wrote:
A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
Neil McGovern wrote:
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
Lionel Elie Mamane wrote:
I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched in the
package kronolith
reopen 349261
tags 349261 +help
thanks
On Sat, Jan 21, 2006 at 03:56:30PM -0500, Joey Hess wrote:
clone 342943 -1
reassign -1 kronolith
thanks
This security hole was fixed in kronolith2, but the kronolith
package is still present in unstable and still, presumably, has this
Lionel Elie Mamane wrote:
This security hole was fixed in kronolith2, but the kronolith
package is still present in unstable and still, presumably, has this
hole.
Thank you for warning us. However, kronolith 1 is not maintained
upstream anymore and no patch for this issue is available
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
Lionel Elie Mamane wrote:
I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched in the files that do exist. Here is
Neil McGovern wrote:
A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
however, the app requires REGISTER_GLOBALS :|
Isn't this in and of itself a problem due to CVE-2005-3390. Is that
finally going to be fixed in Sarge?
* Martin Schulze:
I've taken a look at the patch, and several lines contain changes not
suitable for a security update, i.e. fix different potential bugs or
change the code. I'm attaching the patch. More eyes checking would
be appreciated.
This one seems only safe when magic_quotes_gpc is
clone 342943 -1
reassign -1 kronolith
thanks
This security hole was fixed in kronolith2, but the kronolith package is
still present in unstable and still, presumably, has this hole.
--
see shy jo
signature.asc
Description: Digital signature
13 matches
Mail list logo