diff options
| author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-07-30 06:08:56 +0000 |
|---|---|---|
| committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-07-30 06:08:56 +0000 |
| commit | 8a5f9f6e0047149040c50db571faac89ab443085 (patch) | |
| tree | c20355ac3fb44f02ea36560b71b48594472e5602 | |
| parent | b9693d13ef99d3d904a2a9f8226da400fff2c807 (diff) | |
security note
| -rw-r--r-- | doc/security.mdwn | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn index e72b3fe2b..4db756e2e 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -18,6 +18,14 @@ Anyone with direct commit access can forge "web commit from foo" and make it appear on [[RecentChanges]] like foo committed. One way to avoid this would be to limit web commits to those done by a certian user. +## XML::Parser + +XML::Parser is used by the aggregation plugin, and has some security holes +that are still open in Debian unstable as of this writing. #378411 does not +seem to affect our use, since the data is not encoded as utf-8 at that +point. #378412 could affect us, although it doesn't seem very exploitable. +It has a simple fix, which should be NMUed or something.. + ## other stuff to look at I need to audit the git backend a bit, and have been meaning to |