[pkg-horde] Bug#342943: only kronolith2 fixed
Lionel Elie Mamane
lionel at mamane.lu
Sun Jan 29 20:33:12 UTC 2006
On Sun, Jan 29, 2006 at 06:15:23PM +0000, Neil McGovern wrote:
> On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
>> Neil McGovern wrote:
>>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
>>> on, however, the app requires REGISTER_GLOBALS :|
>>> I'll do an audit of the code and try and find anything left over
>>> when I get home later.
>> Any news on this?
> Sorry for the delay.
> I haven't managed to find any more bugs relating to this particular
> security hole that isn't fixed by the previous patch in this bug
> report. kronolith seems to be fairly badly coded wrt security
> issues though. I'd suggest depreciating kronolith1 and forcing
> people on to kronolith2, whcih although only a little better, is
> actually supported upstream.
The problem is that kronolith2 depends on version 3 of the horde
framework (rather than version 2), that the two versions of horde
cannot meaningfully cooperate and there are still some horde2
applications that have not been ported to horde3. Basically, upstream
has abandoned horde2 before they ported all their OWN code to horde3.
So dropping horde2 is a regression, which explains why we haven't done
it yet. But I'm toying with the idea, as we cannot meaningfully
support it anyway. Ola, your opinion?
More information about the pkg-horde-hackers