Re: April report
I am just about to untake xbmc. I don't think it makes sense to continue.
Upstream bug report:
https://trac.kodi.tv/ticket/17314
This issue, and the lack of response to the upstream bug report, clearly
makes me think upstream is not serious about security issues. As such I
think this webserver (any version) should restricted to trusted networks
by trusted users.
The reasons I feel it is unwise to continue:
* Possibility of other security issues. Probably suffers CRSF
vulnerabilities if nothing else (No, I haven't checked properly -
except by "grep -i CRSF" in source).
* No fixes available for any version available.
* No response to upstream bug report - Was opened in February.
* Possibility that designing my own fix might break something or not fix
it properly.
* I don't see any evidence of tests being run during builds that might
pick up on breakage I might accidentally introduce.
--
Brian May <bam@debian.org>
Reply to: