[Secure-testing-team] Re: Bug#349261: Bug#342943: only kronolith2 fixed

Ola Lundqvist opal at debian.org
Mon Jan 30 05:53:11 UTC 2006 

Hello

On Sun, Jan 29, 2006 at 09:33:12PM +0100, Lionel Elie Mamane wrote:
> On Sun, Jan 29, 2006 at 06:15:23PM +0000, Neil McGovern wrote:
> > On Sat, Jan 28, 2006 at 09:23:31PM +0100, Martin Schulze wrote:
> >> Neil McGovern wrote:
> 
> >>> A fairly odd bug. It only affects the app if REGISTER_GLOBALS is
> >>> on, however, the app requires REGISTER_GLOBALS :|
> 
> >>> I'll do an audit of the code and try and find anything left over
> >>> when I get home later.
> 
> >> Any news on this?
> 
> > Sorry for the delay.
> 
> > I haven't managed to find any more bugs relating to this particular
> > security hole that isn't fixed by the previous patch in this bug
> > report.  kronolith seems to be fairly badly coded wrt security
> > issues though. I'd suggest depreciating kronolith1 and forcing
> > people on to kronolith2, whcih although only a little better, is
> > actually supported upstream.
> 
> The problem is that kronolith2 depends on version 3 of the horde
> framework (rather than version 2), that the two versions of horde
> cannot meaningfully cooperate and there are still some horde2
> applications that have not been ported to horde3. Basically, upstream
> has abandoned horde2 before they ported all their OWN code to horde3.
> 
> So dropping horde2 is a regression, which explains why we haven't done
> it yet. But I'm toying with the idea, as we cannot meaningfully
> support it anyway. Ola, your opinion?

If kronolith1 (named kronolith) can not be fixed, and is not supported
at all by upstream I think we should drop it.

Regards,

// Ola 

> -- 
> Lionel
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal at debian.org                     Annebergsslingan 37      \
|  opal at lysator.liu.se                 654 65 KARLSTAD          |
|  +46 (0)54-10 14 30                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

More information about the Secure-testing-team mailing list