cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Collen <colle...@umn.edu>
Subject Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)
Date Fri, 24 Oct 2003 19:09:40 GMT
Geoff Howard wrote:
> Tony Collen wrote:
> 
>> Joerg Heinicke wrote:
>>
>>> http://www.securiteam.com/securitynews/6W00L0U8KC.html
>>>
>>> Hey, someone wanted to test the Cocoon community :-)
>>>
>>> Joerg
>>>
>>
>> Hm, I think we should consider releasing 2.1.3 as a security update.
> 
> 
> +1  I thought Carsten had already proposed a date because of the
> Gettogether improvements?

In this case, do we have any procedure for fixing something "bad" like the directory traveral
bug, 
and getting a fix out to users in a timely fashion?

One possible solution:  Fix the problem in CVS HEAD, and then backport it to the last released

version (in this case 2.1.2), and make a small security update release -- maybe as 2.1.3 or
2.1.2pl1 
or something.

Even though the problem isn't that bad since it's in a sample, something may come down the
road 
later where we have to fix something of a more serious nature, and get a new version out.
 Waiting 
for a freeze/release cycle might be too long if the problem is urgent enough.

Thoughts?

Tony


Mime
View raw message