On 06/09/14 21:06, Salvatore Bonaccorso wrote: > Hi Daniel, > > On Wed, Sep 03, 2014 at 02:05:53PM +0200, Daniel Pocock wrote: >> Salvatore, I'd prefer to update the package closer to the freeze and >> roll up any other changes in a single release. > > Personal opinion: having a fix sooner in testing would be preferable. > Thiw way the whole package would recieve more testing already before > the freeze. > >> People should not be making LogAnalyzer available to the world, >> especially without additional access controls (HTTP authentication) so >> that provides some protection against flaws that do exist in this product. >> >> How would the security team feel if this package was classified in a >> similar way to the ganglia-web package, e.g. security alerts are not RC >> bugs and users advised to protect the URL with the webserver? > > It is hard to prevent a syslog analysis tool from processing data from > untrusted sources. Releasing the package mentioning such a restriction > to security support does somehow not make sense, considering the > intended use of the package. > > In the concrete instance of > http://seclists.org/fulldisclosure/2014/Sep/17, a malicious syslog > client, by setting an appropriate hostname could perform a XSS > injection, even if the loganalyzer instance would be secured with > additional access controls. Is this correct and do you agree? >
Agreed - the majority of large networks don't have strict access control on syslog and some rogue user could exploit this. 3.6.6+dfsg-1 has just been uploaded. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
