You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jon Stevens <jo...@latchkey.com> on 2001/05/03 22:53:27 UTC
Nagoya.apache.org
on 5/3/01 11:42 AM, "Craig R. McClanahan" <cr...@apache.org> wrote:
> http://nagoya.apache.org/bugzilla/
<http://nagoya.apache.org/bugzilla/globals.pl>
When is someone going to secure that box?
This is really pitiful that this has been open like this for this long now
and on top of it, it is running an old version of bugzilla (2.10 and 2.12 is
latest). There have been security advisories regarding the recent holes
discovered in Bugzilla and no one managing nagoya has taken care of the
situation.
I don't think we (the ASF) should give out apache.org domains to boxes that
are not being managed properly. I also don't think that we should rely on a
box as our primary issue tracking system if security is also not going to be
taken seriously.
thanks,
-jon
Re: Nagoya.apache.org
Posted by Jon Stevens <jo...@latchkey.com>.
on 5/3/01 2:19 PM, "Nick Bauman" <ni...@cortexity.com> wrote:
> A while ago I tried to run bugzilla in a chroot jail using thttpd (apache no
> longer supports chroot'ing, it seems). I got it somewhat working, but I gave
> up and went to bugrat, for better or worse.
>
> I think if you can chroot (and run unprivledged) bugzilla, this greatly
> minimizes any security implications you've seen. Without chrooting and
> running as an unprivledged user, bugzilla is not only insecure, it's
> insecurable.
The problem that I describe below is beyond the need to chroot things. Look
in the globals.pl file at the password that was used. Simple things such as
choosing secure passwords is a good start at security. So is making sure
that the file with your passwords in it is secure as well.
I'm not asking for perfection...I'm simply asking for people to keep up on
closing the known holes in a timely fashion. I don't think that is an
unreasonable expectation for a system administrator.
-jon
Re: Nagoya.apache.org
Posted by Nick Bauman <ni...@cortexity.com>.
A while ago I tried to run bugzilla in a chroot jail using thttpd (apache no
longer supports chroot'ing, it seems). I got it somewhat working, but I gave
up and went to bugrat, for better or worse.
I think if you can chroot (and run unprivledged) bugzilla, this greatly
minimizes any security implications you've seen. Without chrooting and
running as an unprivledged user, bugzilla is not only insecure, it's
insecurable.
> on 5/3/01 11:42 AM, "Craig R. McClanahan" <cr...@apache.org> wrote:
>
>> http://nagoya.apache.org/bugzilla/
>
> <http://nagoya.apache.org/bugzilla/globals.pl>
>
> When is someone going to secure that box?
>
> This is really pitiful that this has been open like this for this long
> now and on top of it, it is running an old version of bugzilla (2.10
> and 2.12 is latest). There have been security advisories regarding the
> recent holes discovered in Bugzilla and no one managing nagoya has
> taken care of the situation.
>
> I don't think we (the ASF) should give out apache.org domains to boxes
> that are not being managed properly. I also don't think that we should
> rely on a box as our primary issue tracking system if security is also
> not going to be taken seriously.
>
> thanks,
>
> -jon
--
Nick Bauman
Software Developer
3023 Lynn #22
Minneapolis, MN
55416
Mobile Phone: (612) 810-7406
Re: Nagoya.apache.org
Posted by Jon Stevens <jo...@latchkey.com>.
on 5/4/01 9:33 AM, "Pier P. Fumagalli" <pi...@betaversion.org> wrote:
> The best thing to do is to upgrade to the new version of BugZilla... I just
> downloaded it and will install it on my Dover box tonight, and if everything
> goes smooth, it'll be on nagoya next week... (The only problem is that I
> have a very restricted internet access, should be fixed by the 10th)
>
> Pier
Ok, I just "hope" no one hacks the box before then...
-jon
Re: Nagoya.apache.org
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
The best thing to do is to upgrade to the new version of BugZilla... I just
downloaded it and will install it on my Dover box tonight, and if everything
goes smooth, it'll be on nagoya next week... (The only problem is that I
have a very restricted internet access, should be fixed by the 10th)
Pier
horwat at Justyna.Horwat@Sun.COM wrote:
> Pier is in charge of maintaining bugzilla on nagoya. I'm sure he is looking
> into the various security issues.
>
> When is Scarab coming out? I'd like an alternative instead of simply hearing
> complaints about the current and well utilized bug tracking system.
>
> Justy
>
> ----- Original Message -----
>> on 5/3/01 11:42 AM, "Craig R. McClanahan" <cr...@apache.org> wrote:
>>
>>> http://nagoya.apache.org/bugzilla/
>>
>> <http://nagoya.apache.org/bugzilla/globals.pl>
>>
>> When is someone going to secure that box?
>>
>> This is really pitiful that this has been open like this for this long now
>> and on top of it, it is running an old version of bugzilla (2.10 and 2.12
> is
>> latest). There have been security advisories regarding the recent holes
>> discovered in Bugzilla and no one managing nagoya has taken care of the
>> situation.
>>
>> I don't think we (the ASF) should give out apache.org domains to boxes
> that
>> are not being managed properly. I also don't think that we should rely on
> a
>> box as our primary issue tracking system if security is also not going to
> be
>> taken seriously.
>>
>> thanks,
>>
>> -jon
>>
>>
Re: Nagoya.apache.org
Posted by Jon Stevens <jo...@latchkey.com>.
on 5/3/01 4:20 PM, "horwat" <Ju...@Sun.COM> wrote:
> When is Scarab coming out? I'd like an alternative instead of simply hearing
> complaints about the current and well utilized bug tracking system.
>
> Justy
Actually, Scarab is back on the high track within CollabNet now that
SourceCast 1.0 is released, so more resources are being dedicated to getting
it done which will help greatly on the progress towards completion. The
final ETA is still incomplete as the new project manager hasn't finished the
schedule yet, so all I can say is that things are looking up...
When I have more information that I can make public, it will be available on
the scarab.tigris.org website.
Of course if you would like to volunteer to help out, that will also help
with the progress of the project. So far, getting volunteers has been
somewhat of a struggle. People will volunteer to do something and then they
don't do it. :-( I recently posted a couple TODO items for work that people
could start on and no one has really picked them up...
-jon
Re: Nagoya.apache.org
Posted by horwat <Ju...@Sun.COM>.
Pier is in charge of maintaining bugzilla on nagoya. I'm sure he is looking
into the various security issues.
When is Scarab coming out? I'd like an alternative instead of simply hearing
complaints about the current and well utilized bug tracking system.
Justy
----- Original Message -----
> on 5/3/01 11:42 AM, "Craig R. McClanahan" <cr...@apache.org> wrote:
>
> > http://nagoya.apache.org/bugzilla/
>
> <http://nagoya.apache.org/bugzilla/globals.pl>
>
> When is someone going to secure that box?
>
> This is really pitiful that this has been open like this for this long now
> and on top of it, it is running an old version of bugzilla (2.10 and 2.12
is
> latest). There have been security advisories regarding the recent holes
> discovered in Bugzilla and no one managing nagoya has taken care of the
> situation.
>
> I don't think we (the ASF) should give out apache.org domains to boxes
that
> are not being managed properly. I also don't think that we should rely on
a
> box as our primary issue tracking system if security is also not going to
be
> taken seriously.
>
> thanks,
>
> -jon
>
>