Bug#559453: marked as done (only limited security support for ocsinventory-server and sql-ledger)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 21 Aug 2010 23:59:13 -0700
with message-id <20100822065913.GB17271@dario.dodds.net>
and subject line Re: only limited security support for ocsinventory-server and sql-ledger
has caused the Debian Bug report #559453,
regarding only limited security support for ocsinventory-server and sql-ledger
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
559453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559453
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: only limited security support for ocsinventory-server and sql-ledger
• From: Steffen Joeris <steffen.joeris@skolelinux.de>
• Date: Fri, 04 Dec 2009 15:13:18 +0100
• Message-id: <20091204141318.14377.72381.reportbug@localhost.localdomain>

Package: release-notes
Severity: important

Hi

Please indicate that the packages ocsinventory-server and sql-ledger
only receive limited security support, because they should only be used
behind authenticated HTTP zones. For sql-ledger, this is true for etch,
lenny and squeeze and for ocsinventory-server this affects lenny and
squeeze. A note just like for the mozilla stuff should suffice.
Thanks in advance.

Cheers
Steffen

--- End Message ---

--- Begin Message ---

• To: 559453-done@bugs.debian.org
• Subject: Re: only limited security support for ocsinventory-server and sql-ledger
• From: Steve Langasek <vorlon@debian.org>
• Date: Sat, 21 Aug 2010 23:59:13 -0700
• Message-id: <20100822065913.GB17271@dario.dodds.net>

Fixed for the lenny and squeeze release notes with the following patch:

=== modified file 'en/issues.dbk'
--- en/issues.dbk	2009-08-22 22:14:09 +0000
+++ en/issues.dbk	2010-08-22 06:58:26 +0000
@@ -493,6 +493,23 @@
 </para>
 </section>
 
+<section id="webservice-security">
+<title>Security status of OCS Inventory and SQL-Ledger</title>
+<para>
+<indexterm><primary>OCS Inventory</primary></indexterm>
+<indexterm><primary>SQL-Ledger</primary></indexterm>
+The webservice packages <systemitem
+role="package">ocsinventory-server</systemitem> and <systemitem
+role="package">sql-ledger</systemitem> are included in the &releasename;
+release but have special security requirements that users should be aware of
+before deploying them.  These two webservices are designed for deployment
+only behind an authenticated HTTP zone and should never be made available to
+untrusted users; and therefore they receive only limited security support
+from the Debian security team.  Users should therefore take particular care
+when evaluating who to grant access to these services.
+</para>
+</section>
+
 <section id="kde-desktop-changes">
 <title>KDE desktop</title>
 <para>


Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

--- End Message ---