Lionel Elie Mamane wrote:
> >>> The problem is that kronolith2 depends on version 3 of the horde
> >>> framework (rather than version 2), that the two versions of horde
> >>> cannot meaningfully cooperate and there are still some horde2
> >>> applications that have not been ported to horde3. Basica
On Thu, Feb 09, 2006 at 10:47:28AM +0100, Martin Schulze wrote:
> Ola Lundqvist wrote:
I'd suggest depreciating kronolith1 and forcing people on to
kronolith2, whcih although only a little better, is actually
supported upstream.
>>> The problem is that kronolith2 depends on version
Ola Lundqvist wrote:
> > > I haven't managed to find any more bugs relating to this particular
> > > security hole that isn't fixed by the previous patch in this bug
> > > report. kronolith seems to be fairly badly coded wrt security
> > > issues though. I'd suggest depreciating kronolith1 and for
Hello
On Sun, Jan 29, 2006 at 09:33:12PM +0100, Lionel Elie Mamane wrote:
> On Sun, Jan 29, 2006 at 06:15:23PM +, Neil McGovern wrote:
> > On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> >> Neil McGovern wrote:
>
> >>> A fairly odd bug. It only affects the app if REGISTER_GL
On Sun, Jan 29, 2006 at 06:15:23PM +, Neil McGovern wrote:
> On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
>> Neil McGovern wrote:
>>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
>>> on, however, the app requires REGISTER_GLOBALS :|
>>> I'll do an audit
On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> Neil McGovern wrote:
> > On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> > > Lionel Elie Mamane wrote:
> > > > I've tried to backport the upstream patch for kronolith 2, but most
> > > > files touched don't actually
Neil McGovern wrote:
> On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> > Lionel Elie Mamane wrote:
> > > I've tried to backport the upstream patch for kronolith 2, but most
> > > files touched don't actually exist in kronolith 1, as well as a
> > > sizeable part of the code touche
* Martin Schulze:
> I've taken a look at the patch, and several lines contain changes not
> suitable for a security update, i.e. fix different potential bugs or
> change the code. I'm attaching the patch. More eyes checking would
> be appreciated.
This one seems only safe when magic_quotes_gpc
Neil McGovern wrote:
> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is on,
> however, the app requires REGISTER_GLOBALS :|
Isn't this in and of itself a problem due to CVE-2005-3390. Is that
finally going to be fixed in Sarge?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3366
On Sun, Jan 22, 2006 at 11:35:15AM +0100, Martin Schulze wrote:
> Lionel Elie Mamane wrote:
> > I've tried to backport the upstream patch for kronolith 2, but most
> > files touched don't actually exist in kronolith 1, as well as a
> > sizeable part of the code touched in the files that do exist. H
Lionel Elie Mamane wrote:
> > This security hole was fixed in kronolith2, but the kronolith
> > package is still present in unstable and still, presumably, has this
> > hole.
>
> Thank you for warning us. However, kronolith 1 is not maintained
> upstream anymore and no patch for this issue is avai
package kronolith
reopen 349261
tags 349261 +help
thanks
On Sat, Jan 21, 2006 at 03:56:30PM -0500, Joey Hess wrote:
> clone 342943 -1
> reassign -1 kronolith
> thanks
> This security hole was fixed in kronolith2, but the kronolith
> package is still present in unstable and still, presumably, has
clone 342943 -1
reassign -1 kronolith
thanks
This security hole was fixed in kronolith2, but the kronolith package is
still present in unstable and still, presumably, has this hole.
--
see shy jo
signature.asc
Description: Digital signature
13 matches
Mail list logo
