[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Nov 2012 14:03:17 -0500
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Remaining agenda for 0.9.8
On Fri, Nov 16, 2012 at 07:02:26AM -0800, Isaac Dunham wrote:
> On Fri, 16 Nov 2012 02:11:35 -0500
> Rich Felker <dalias@...ifal.cx> wrote:
>
> > > For releases that do need more testing, what would you think of rc
> > > tarballs? While git can be built with only libc as a dependency*
> > > (NO_PYTHON=1 NO_PERL=1 MSGFMT=true... if I remember right), "pull
> > > from git" does still limit your audience.
> >
> > The old gitweb had a "download tarball" link. I don't think cgit has
>
> BTW, I hope you've updated cgit recently: there's a command
> execution bug that was recently fixed (as well as another security
> issue).
The attack vector is malicious repositories. If the repository had
malicious commits injected into it, that would be considerably worse
than somebody obtaining limited access on the webserver. :-)
But I will go ahead and upgrade it soon anyway.
Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
