Hi Daniel, On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote: > Salvatore, I'd prefer to update the package closer to the freeze and > roll up any other changes in a single release.
Personal opinion: having a fix sooner in testing would be preferable. Thiw way the whole package would recieve more testing already before the freeze. > People should not be making LogAnalyzer available to the world, > especially without additional access controls (HTTP authentication) so > that provides some protection against flaws that do exist in this product. > > How would the security team feel if this package was classified in a > similar way to the ganglia-web package, e.g. security alerts are not RC > bugs and users advised to protect the URL with the webserver? It is hard to prevent a syslog analysis tool from processing data from untrusted sources. Releasing the package mentioning such a restriction to security support does somehow not make sense, considering the intended use of the package. In the concrete instance of http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog client, by setting an appropriate hostname could perform a XSS injection, even if the loganalyzer instance would be secured with additional access controls. Is this correct and do you agree? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
