ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <stev...@iseran.com>
Subject Re: cvs commit: ant/src/main/org/apache/tools/ant/taskdefs/optional/clearcase CCLock.java CCMkbl.java CCMklabel.java CCMklbtype.java CCRmtype.java CCUnlock.java ClearCase.java
Date Tue, 15 Apr 2003 03:49:07 GMT

----- Original Message -----
From: "Magesh Umasankar" <umagesh@apache.org>
To: "Ant Developers List" <dev@ant.apache.org>
Sent: Monday, April 14, 2003 17:35
Subject: Re: cvs commit:
ant/src/main/org/apache/tools/ant/taskdefs/optional/clearcase CCLock.java
CCMkbl.java CCMklabel.java CCMklbtype.java CCRmtype.java CCUnlock.java
ClearCase.java


> Point taken.
>
> In the future, if it will help, I will attach the actual diff
> that was used to patch to the bug report, before marking it as
> fixed.
>
> Cheers,
> Magesh


no, I wasnt expecting any changes -ant isnt a security issue, its more an
observation that we have a loophole in the process, one that matters more
where you have

-complex code that doesnt get looked at often
-network accessible
-widely deployed.

Something like Axis or Tomcate would be vulnerable here, if not to anyone
malicious, then to someone planning to write a paper titled 'process
failures in open source security' on how they added a back door & how long
it took for someone reading the code to find it.

But I wont, because so many people do use these things it'd be
irresponsible, 'cept maybe for an easter-egg-class of back door.

-steve


Mime
View raw message