Moritz Muehlenhoff wrote: > Gerfried Fuchs wrote: >> Hi! >> >> * Jeremy T. Bouse <jbo...@debian.org> [2010-02-01 16:12:06 CET]: >>> Gerfried Fuchs wrote: >>>> * Jeremy T. Bouse <jbo...@debian.org> [2009-11-27 19:30:47 CET]: >>>>> I am currently working on getting 1.4.4 ready to go and remove David >>>>> Gil from the package per (#551636) >>>> Actually, I'm not sure, does this address Moritz' concerns, from a >>>> security team's point of view, especially with respect to stable? I >>>> don't see any update that would have fixed the security issues for >>>> lenny, what is your plan for that? >>> 1.4.4 reportedly fixes all current outstanding CVS reports. Short of >>> going and simply upgrading the old versions trying to go through the >>> code and find the specific fixes to these issues, as I've found no patch >>> files specific to the problem, would take much more time than I have >>> available when a fixed upstream version is already available in the >>> repository. 1.4.4-1 hit the unstable repository in late November and I >>> had a few fixes until 1.4.4-3 was migrated to testing just before Christmas. >> You are aware that maintaining a package doesn't mean only taking care >> for it in unstable but also to at least try to give the security team a >> helping hand for trying to get things straight in a stable release? I >> wonder, how severe are the issues actually? Is it better to pull the >> package from the stable release (like Moritz suggested already) if you >> don't see the posibility to get the issues fixed for stable, or do you >> consider the issues minor enough to ignore them for this time - but what >> will happen when more severe ones pop up? > > An additional possibility might be to limit the scope of security support > to local, trusted users behind an authenticated HTTP zone. We're doing that > for a few applications already, e.g. sql-ledger or ocsinventory. > You wouldn't expose your accounting or hardware inventory to untrusted > users and the same should apply to IDS results. > > Cheers, > Moritz
In which case this is a non-issue to anyone who uses the default Apache
configuration which limits access to localhost and has since 1.2.7.
1 <IfModule mod_alias.c>
2 Alias /acidbase "/usr/share/acidbase"
3 </IfModule>
4
5 <DirectoryMatch /usr/share/acidbase/>
6 Options +FollowSymLinks
7 AllowOverride None
8 order deny,allow
9 deny from all
10 allow from 127.0.0.0/255.0.0.0
11 <IfModule mod_php4.c>
12 php_flag magic_quotes_gpc Off
13 php_flag track_vars On
14 php_value include_path .:/usr/share/php
15 </IfModule>
16 </DirectoryMatch>
signature.asc
Description: OpenPGP digital signature
