Hello On Sun, Jan 29, 2006 at 09:33:12PM +0100, Lionel Elie Mamane wrote: > On Sun, Jan 29, 2006 at 06:15:23PM +0000, Neil McGovern wrote: > > On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote: > >> Neil McGovern wrote: > > >>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is > >>> on, however, the app requires REGISTER_GLOBALS :| > > >>> I'll do an audit of the code and try and find anything left over > >>> when I get home later. > > >> Any news on this? > > > Sorry for the delay. > > > I haven't managed to find any more bugs relating to this particular > > security hole that isn't fixed by the previous patch in this bug > > report. kronolith seems to be fairly badly coded wrt security > > issues though. I'd suggest depreciating kronolith1 and forcing > > people on to kronolith2, whcih although only a little better, is > > actually supported upstream. > > The problem is that kronolith2 depends on version 3 of the horde > framework (rather than version 2), that the two versions of horde > cannot meaningfully cooperate and there are still some horde2 > applications that have not been ported to horde3. Basically, upstream > has abandoned horde2 before they ported all their OWN code to horde3. > > So dropping horde2 is a regression, which explains why we haven't done > it yet. But I'm toying with the idea, as we cannot meaningfully > support it anyway. Ola, your opinion?
If kronolith1 (named kronolith) can not be fixed, and is not supported at all by upstream I think we should drop it. Regards, // Ola > -- > Lionel > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | +46 (0)54-10 14 30 +46 (0)70-332 1551 | | http://www.opal.dhs.org UIN/icq: 4912500 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
