From arthur.barrett at march-hare.com Wed Jul 9 07:00:18 2008 From: arthur.barrett at march-hare.com (Arthur Barrett) Date: Wed, 9 Jul 2008 16:00:18 +1000 Subject: [cvsnt-dev] Bug#466408: Failure of Drop-In Compatibility with Old Repository Message-ID: <946E76E38BC1E2448B68F32FAEA2BA5858F295@2ksrvr01.march-hare.local> Andreas, I'm not cc'ing the bug on this message, but I am cc'ing cvsnt-dev. > create a new > package as soon as CVSNT 2.5.04 is released which is due ... When? > Arthur? :-) I'm currently putting together another RC, partly because there were some more rename fixes, but mostly because the "old" builds used the system libxml2 (except on windows) which for everything except redhat5 meant it didn't work - that meant no working CVSNT for mac, hpux, solaris, redhat4, suse - pretty much everything anyone actually use in "production". Of course all your recent work on Debian has been on the builds with libxml2 included, so I think you've got nothing to do at your end except testing... Since this is a largish change it is going to need more testing by the user group - plus I need to do a little more windows stuff, so there will be most likely be at least 1 more RC before the stable. Unless problems are found it should all be done in a couple of weeks from the next RC, however the liklihood of "problems" with such a major change is quite high. I've spent most of today getting Solaris to compile, and just started looking at HPUX and Mac OS X. I'm trying to spend a couple of hours a day on this, but I'm running out of time and there are other far more urgent priorities that are slipping because of this. I'd like to get the next RC out this Friday... Regards, Arthur From andy at vis.ethz.ch Wed Jul 9 07:21:45 2008 From: andy at vis.ethz.ch (Andreas Tscharner) Date: Wed, 09 Jul 2008 08:21:45 +0200 Subject: [cvsnt-dev] Bug#466408: Failure of Drop-In Compatibility with Old Repository In-Reply-To: References: Message-ID: Arthur Barrett wrote: > Andreas, Hello Arthur, > > I'm not cc'ing the bug on this message, but I am cc'ing cvsnt-dev. > >> create a new >> package as soon as CVSNT 2.5.04 is released which is due ... When? >> Arthur? :-) > > I'm currently putting together another RC, partly because there were > some more rename fixes, but mostly because the "old" builds used the > system libxml2 (except on windows) which for everything except redhat5 > meant it didn't work - that meant no working CVSNT for mac, hpux, > solaris, redhat4, suse - pretty much everything anyone actually use in > "production". Of course all your recent work on Debian has been on the > builds with libxml2 included, so I think you've got nothing to do at > your end except testing... Speaking of included libs: PCRE in cvsnt is quite old (6.6). I count 18 "Common Vulnerabilities and Exposures" on cve.mitre.org. As you said: It does not affect Debian (and probably other distros), because the installed versions of PCRE are used, but are there any plans to update PCRE? Best regards Andreas -- Andreas Tscharner ---------------------------------------------------------------------- "Intruder on level one. All Aliens please proceed to level one." -- Call in "Alien: Resurrection" From arthur.barrett at march-hare.com Wed Jul 9 07:53:21 2008 From: arthur.barrett at march-hare.com (Arthur Barrett) Date: Wed, 9 Jul 2008 16:53:21 +1000 Subject: [cvsnt-dev] Bug#466408: Failure of Drop-In Compatibility with Old Repository References: Message-ID: Andreas, > Speaking of included libs: PCRE in cvsnt is quite old (6.6). I count 18 > "Common Vulnerabilities and Exposures" on cve.mitre.org. As you said: It > does not affect Debian (and probably other distros), because the installed > versions of PCRE are used, but are there any plans to update PCRE? Thanks for the heads up. Unless someone can show that this is a significant risk for CVSNT users I won't be upgrading it for 2.5.04. We have previously listed pcre security vulns as low for CVSNT since the way CVSNT uses it a user can't obtain any rights they do not already have anyway (eg see bug 4638) since the server process is not running privileged. http://customer.march-hare.com/webtools/bugzilla/ttshow_bug.cgi?tt=1&id=4638 Of the 18 pcre vulns on cve I can see only two that clearly affect v6.6 (I don't know enough to be sure that bugs in pcre 7.x really affect 6.x), and the latest pcre 7.7 also has cve's against it so upgrading to pcre 7.7 is not going to completely resolve this question anyway. We updated zlib to 1.2.3 for security vulns at the same time as we updated pcre (just before 2.5.03 went stable) and that is still the latest version. I have stated repeatedly that my goal for 2.5.04 is not to fix anything and that it'll be largely "as broken as 2.5.03" since noone is complaining about 2.5.03 - the whole point of 2.5.04 is to add features (see my last release notes on the newsgroup for more of a rant on that). I don't really like releasing things with known CVE's but I think in this case I think I will because my understanding is that the risk is a) no worse than the current CVSNT release and b) pretty insignificant anyway. Putting this on the table as needing fixing by 2.5.05 is worthwhile. Can anyone shed more light on this? Regards, Arthur Barrett