On Sat, Jan 19, 2013 at 08:18:10PM +0100, Yves-Alexis Perez wrote: > On mar., 2013-01-08 at 18:04 +0000, Dominic Hargreaves wrote: > > Security team, shall I upload to security-master? > > Yes, please.
Okay, done. > > It might be useful in a DSA to recommend restricting the > > mt-upgrade.cgi > > script to trusted IP addresses, but I don't think it's something we > > can do by default, as browser accesss to mt-upgrade.cgi is needed to > > complete upgrades. > > To be honest, I'd be comfortable to restrict it to 127.0.0.1/::1 but > that's not really something we can change on a stable update. That is likely to render the site inoperable following an upgrade with a schema change, because an admin has to log in with their browser and get redirected to mt-upgrade.cgi. They're advised of this possibility with a debconf note, but I still think it's risky to lock peple out of doing this by default. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
