if we're going to be installing the cscope web frontend, we should probably patch it so the default output includes a big warning: <h1>this script is insecure and does no checking so you can do ask it to show random files on your server</h1> while generally not a terribly big issue in the normal case, i dont think people would go around installing this if they knew that it could be easily used to glean fun information about the configuration of their system a quick test shows that you can display any file that is apache readable (so all of your apache config files) just install cscope into your cgi-bin (i dont think you even need to configure the .pl file) and browse to like: http://localhost/cgi-bin/cscope/cscope?fshow=1&fshowfile=/etc/passwd
Security, you want the web frontend removed or the big warning? I will inform upstream about the issue.
I think a warning would be sufficient.
15.6-r1 with the warning in CVS now, security you now may cc arches if you think that it is needed, or close the bug.
Security, all necessary steps from maintainers have been done. What will happen here next?
(In reply to comment #4) > Security, all necessary steps from maintainers have been done. What will > happen here next? > The end of the known universe :) alpha amd64 arm ia64 mips s390 : please test and mark stable cscope-15.6-r1, thanks. hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if everything is OK. That is a very weak security issue, so if something is wrong with it, it should be better to stay with 15.5.20060927-r1 and to patch it with the warning in it.
Forgot to add arches. And reassigning. "alpha amd64 arm ia64 mips s390 : please test and mark stable cscope-15.6-r1, thanks. hppa, ppc, ppc64, sparc, x86, please test and mark stable cscope-15.6-r1 if everything is OK. That is a very weak security issue, so if something is wrong with it, it should be better to stay with 15.5.20060927-r1 and to patch it with the warning in it."
x86 stable
ppc stable
stable on hppa
sparc stable.
Stable on Alpha.
amd64 stable
ppc64 stable
I would vote for NOglsa
also vote NO
Stable on MIPS. Closing.
Security hasn't finished its procedure.
yes, thanks. But noone will vote except me and tavis, so closing without glsa. Feel free to rereopen if you disagree :)