Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Nov 2012 14:03:17 -0500
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Remaining agenda for 0.9.8

On Fri, Nov 16, 2012 at 07:02:26AM -0800, Isaac Dunham wrote:
> On Fri, 16 Nov 2012 02:11:35 -0500
> Rich Felker <dalias@...ifal.cx> wrote:
> 
> > > For releases that do need more testing, what would you think of rc
> > > tarballs? While git can be built with only libc as a dependency*
> > > (NO_PYTHON=1 NO_PERL=1 MSGFMT=true... if I remember right), "pull
> > > from git" does still limit your audience.
> > 
> > The old gitweb had a "download tarball" link. I don't think cgit has
> 
> BTW, I hope you've updated cgit recently: there's a command
> execution bug that was recently fixed (as well as another security
> issue).

The attack vector is malicious repositories. If the repository had
malicious commits injected into it, that would be considerably worse
than somebody obtaining limited access on the webserver. :-)

But I will go ahead and upgrade it soon anyway.

Rich

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.