You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cocoon.apache.org by Joerg Heinicke <jh...@virbus.de> on 2003/10/23 15:40:20 UTC

[FYI] Apache Cocoon Directory Traversal Vulnerability

http://www.securiteam.com/securitynews/6W00L0U8KC.html

Hey, someone wanted to test the Cocoon community :-)

Joerg

-- 
System Development
VIRBUS AG
Fon  +49(0)341-979-7419
Fax  +49(0)341-979-7409
joerg.heinicke@virbus.de
www.virbus.de

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Antonio Gallardo <ag...@agsoftware.dnsalias.com>.

Tony Collen dijo:
> Joerg Heinicke wrote:
>
>> http://www.securiteam.com/securitynews/6W00L0U8KC.html
>>
>> Hey, someone wanted to test the Cocoon community :-)
>>
>> Joerg
>>
>
> Hm, I think we should consider releasing 2.1.3 as a security update.
>
> Thoughts?

+1 A new release right now!

Antonio Gallardo

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Ugo Cei <u....@cbim.it>.

Tony Collen wrote:
> Hm, I think we should consider releasing 2.1.3 as a security update.
> 
> Thoughts?

Not just for that but for incorporating all the fixes that were done at 
the GT and more.

But, can we please make sure that the test suite runs, this time?

Otherwise, +1 from me.

	Ugo

-- 
Ugo Cei - Consorzio di Bioingegneria e Informatica Medica
P.le Volontari del Sangue, 2 - 27100 Pavia - Italy
Phone: +39.0382.525100 - E-mail: u.cei@cbim.it

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Joerg Heinicke <jh...@virbus.de>.

On 24.10.2003 21:09, Tony Collen wrote:

> In this case, do we have any procedure for fixing something "bad" like 
> the directory traveral bug, and getting a fix out to users in a timely 
> fashion?
> 
> One possible solution:  Fix the problem in CVS HEAD, and then backport 
> it to the last released version (in this case 2.1.2), and make a small 
> security update release -- maybe as 2.1.3 or 2.1.2pl1 or something.
> 
> Even though the problem isn't that bad since it's in a sample, something 
> may come down the road later where we have to fix something of a more 
> serious nature, and get a new version out.  Waiting for a freeze/release 
> cycle might be too long if the problem is urgent enough.
> 
> Thoughts?

IMO Cocoon core is so stable that we can do a release at every time.

Even an immediate fix is possible:

cvs co cocoon-2.1 -r 2.1.2

Fix it on the local checkout and release it as you suggested. A freeze 
period is not necessary then of course.

Joerg

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Tony Collen <co...@umn.edu>.

Geoff Howard wrote:
> Tony Collen wrote:
> 
>> Joerg Heinicke wrote:
>>
>>> http://www.securiteam.com/securitynews/6W00L0U8KC.html
>>>
>>> Hey, someone wanted to test the Cocoon community :-)
>>>
>>> Joerg
>>>
>>
>> Hm, I think we should consider releasing 2.1.3 as a security update.
> 
> 
> +1  I thought Carsten had already proposed a date because of the
> Gettogether improvements?

In this case, do we have any procedure for fixing something "bad" like the directory traveral bug, 
and getting a fix out to users in a timely fashion?

One possible solution:  Fix the problem in CVS HEAD, and then backport it to the last released 
version (in this case 2.1.2), and make a small security update release -- maybe as 2.1.3 or 2.1.2pl1 
or something.

Even though the problem isn't that bad since it's in a sample, something may come down the road 
later where we have to fix something of a more serious nature, and get a new version out.  Waiting 
for a freeze/release cycle might be too long if the problem is urgent enough.

Thoughts?

Tony

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Geoff Howard <co...@leverageweb.com>.

Carsten Ziegeler wrote:
> 
> Ah, yes, you're right - we should then start the freeze period after
> the "FirstFriday" and make the release on the following thursday,
> the 13th (thank god, it's not a friday, the 13th).

+1

Geoff

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Bertrand Delacretaz <bd...@apache.org>.

Le Vendredi, 24 oct 2003, à 09:57 Europe/Zurich, Carsten Ziegeler a 
écrit :

> Joerg Heinicke wrote:
>> If we wait til November I will suggest to release after FirstFriday on
>> November, 7th.
>>
>> http://wiki.cocoondev.org/Wiki.jsp?page=FirstFriday
>>
> Ah, yes, you're right - we should then start the freeze period after
> the "FirstFriday" and make the release on the following thursday,
> the 13th (thank god, it's not a friday, the 13th).

Good idea, +1

-Bertrand

RE: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Carsten Ziegeler <cz...@s-und-n.de>.

Joerg Heinicke wrote:
> > 
> > We had a lot of changes in the last weeks (although it might be minor
> > ones), we should ensure that everything works as it should and test
> > everything.
> > We now have the "official freeze period" before the release, as well.
> > 
> > Now, on this basis, I would suggest a release in two weeks from now,
> > either on the 6th or the 10th of November.
> > 
> > And: Are there any outstanding issues?
> > 
> > What do you think?
> > 
> > Carsten
> 
> If we wait til November I will suggest to release after FirstFriday on 
> November, 7th.
> 
> http://wiki.cocoondev.org/Wiki.jsp?page=FirstFriday
> 
Ah, yes, you're right - we should then start the freeze period after
the "FirstFriday" and make the release on the following thursday,
the 13th (thank god, it's not a friday, the 13th).

Carsten

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Joerg Heinicke <jh...@virbus.de>.

On 24.10.2003 08:06, Carsten Ziegeler wrote:
> Geoff Howard wrote:
> 
>>Tony Collen wrote:
>>
>>>Joerg Heinicke wrote:
>>>
>>>
>>>>http://www.securiteam.com/securitynews/6W00L0U8KC.html
>>>>
>>>>Hey, someone wanted to test the Cocoon community :-)
>>>>
>>>>Joerg
>>>>
>>>
>>>Hm, I think we should consider releasing 2.1.3 as a security update.
>>
>>+1  I thought Carsten had already proposed a date because of the
>>Gettogether improvements?
>>
> 
> 
> We had a lot of changes in the last weeks (although it might be minor
> ones), we should ensure that everything works as it should and test
> everything.
> We now have the "official freeze period" before the release, as well.
> 
> Now, on this basis, I would suggest a release in two weeks from now,
> either on the 6th or the 10th of November.
> 
> And: Are there any outstanding issues?
> 
> What do you think?
> 
> Carsten

If we wait til November I will suggest to release after FirstFriday on 
November, 7th.

http://wiki.cocoondev.org/Wiki.jsp?page=FirstFriday

Joerg

RE: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Carsten Ziegeler <cz...@s-und-n.de>.

Geoff Howard wrote:
> 
> Tony Collen wrote:
> > Joerg Heinicke wrote:
> > 
> >> http://www.securiteam.com/securitynews/6W00L0U8KC.html
> >>
> >> Hey, someone wanted to test the Cocoon community :-)
> >>
> >> Joerg
> >>
> > 
> > Hm, I think we should consider releasing 2.1.3 as a security update.
> 
> +1  I thought Carsten had already proposed a date because of the
> Gettogether improvements?
> 

We had a lot of changes in the last weeks (although it might be minor
ones), we should ensure that everything works as it should and test
everything.
We now have the "official freeze period" before the release, as well.

Now, on this basis, I would suggest a release in two weeks from now,
either on the 6th or the 10th of November.

And: Are there any outstanding issues?

What do you think?

Carsten

Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Geoff Howard <co...@leverageweb.com>.

Tony Collen wrote:
> Joerg Heinicke wrote:
> 
>> http://www.securiteam.com/securitynews/6W00L0U8KC.html
>>
>> Hey, someone wanted to test the Cocoon community :-)
>>
>> Joerg
>>
> 
> Hm, I think we should consider releasing 2.1.3 as a security update.

+1  I thought Carsten had already proposed a date because of the
Gettogether improvements?

Geoff

Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)

Posted by Tony Collen <co...@umn.edu>.

Joerg Heinicke wrote:

> http://www.securiteam.com/securitynews/6W00L0U8KC.html
> 
> Hey, someone wanted to test the Cocoon community :-)
> 
> Joerg
> 

Hm, I think we should consider releasing 2.1.3 as a security update.

Thoughts?

RE: [FYI] Apache Cocoon Directory Traversal Vulnerability

Posted by Leo Sutic <le...@inspireinfrastructure.com>.

Nice one... I put a summary of it all in Bugzilla.

/LS

> From: Joerg Heinicke [mailto:jheinicke@virbus.de]