From: bertrand G. <ber...@to...> - 2006-07-15 12:25:54
|
Chris Finley wrote: >Marcus Better wrote: > =20 > >>Gunnar Ren=C3=A9 =C3=98ie wrote: >> >> =20 >> >>>http://tikiwiki.org/tiki-index.php does list what has been done, >>> =20 >>> >>Not really. Skimming through unrelated news announcement to find the on= e >>about a security fix, which says only=20 >> "This release fixes a recently declared XSS vulnerability." >>is simply not good enough. >> >>Even >> http://tikiwiki.org/tiki-index.php?page=3DTikiSecurity&bl >>is mostly a clipboard of information of varying relevance, although it = is a >>good start. >> >>Sorry if I sound a bit negative, but I do think the problem is importan= t and >>can be fixed easily with the proper procedures. (I'm trying to get Tiki= wiki >>uploaded to Debian, and people are raising concerns about this issue.) >> >>Marcus >> >> >> >>Using Tomcat but need to do more? >> No I don't and I don't need more , merci Could you reformulate without this polution ? thanks >> Need to support web services, security? >>Get stuff done quickly with pre-integrated technology to make your job = easier >>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geron= imo >>http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat= =3D121642 >>_______________________________________________ >>Tikiwiki-devel mailing list >>Tik...@li... >>https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel >> =20 >> > > >I have been told that I cannot find out about security bugs before they >are fixed, but I should be able to get some information afterwards. Is >there a page for this or mailing list for sys admins? > >I agree with Marcus, we need more than "upgrade to 1.9.4 because it >contains security fixes". > >For one, this feels like blackmail. It takes a great deal of time to >safely upgrade our TikiWiki, apply our customizations and test the whole >thing. If I can get the fix, that can be applied within a few hours. > >The TikiWiki for Debian is a great project (I use Debian, naturally :) >You may find some problems with the "upgrade or be unsecure" philosophy. > To keep packages stable, security fixes are backported to minimize the >chance of a new feature breaking someone production server. >Additionally, new features must hang around in "unstable" and the >"testing" for a while. Bug fixes can be fast-tracked, but they are not >suppose to contain new features. > >Please consider a mailing list for security fixes or adding fix >information to the change log (or even security change log). > >Many thanks, > >Chris Finley (maeglin) >cfinley@u.washington.edu > > >------------------------------------------------------------------------= - >Using Tomcat but need to do more? Need to support web services, security= ? >Get stuff done quickly with pre-integrated technology to make your job e= asier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geroni= mo >http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D= 121642 >_______________________________________________ >Tikiwiki-devel mailing list >Tik...@li... >https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel > =20 > |