On Monday, November 16, 2020 at 6:11:12 PM UTC-8 lorriea...@gmail.com wrote:
> Hello, > I am the IT Software Acquisitions Customer Liaison at the Colorado School > of Mines. We have request from a student to install EXPGUI GSAS on our > university computers. This requires approval from our Security, > Infrastructure and Privacy stakeholders. Would anyone in this group be > able to point me to information that would help with understanding the > security vulnerabilities and measures of this software? Also, what > personal data is collected by this software for login, etc.? > > I appreciate any thoughts you can share. > Best, > Lorrie Pacheco-Butler > Colorado School of Mines > TracStandalone (using Trac's web server) can authenticate using basic or digest authentication, with the Apache utilities commonly used to create the password files: https://trac.edgewall.org/wiki/TracStandalone#UsingAuthentication However, typically a third-party web server is used to serve Trac, such as Apache. There are many options for authentication, but most commonly basic, digest, or LDAP authentication is used, so the security of authentication and password storage falls to Apache. https://trac.edgewall.org/wiki/TracAuthenticationIntroduction Trac allows users to enter their real name and email through the preferences page. The information is stored in a cookie. The cookie also stores last login time and some other basic site preferences. https://trac.edgewall.org/wiki/TracDev/TracSession The Trac permission model is used to provide authorization to resources, once authenticated. http://trac.edgewall.org/wiki/TracPermissions I can tell you informally that we have fixed all security vulnerabilities that have been reported to us privately. You may wish to look to a security vulnerabilities site to see if they have recorded any that are not fixed yet, but I'm not aware of any, and if you find any, please report to ad...@edgewall.org . We aim to fix those quickly. We suggest running the latest version, 1.4.2, to ensure you have all available security fixes. Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/1cab8b68-24c6-4c1a-b9f8-08cf2d2f0961n%40googlegroups.com.
