Re: [thierry.laronde: cgi-scripts introduces potential security holes]
Le Sat, Jan 15, 2000 at 04:25:35PM +0100, Thierry Laronde écrivait:
> Package: cgi-scripts
> Severity: critical
> This orphaned package is, at the moment, inconsistent, lacking documentation,
> giving scripts that are now almost useless, and placing in /cgi-bin/ Bourne
> Shell scripts invoking directly commands like 'finger', which introduces
> security holes.
Did you find security holes ? If not how can you be sure that there are
some ? If I remember well, some have already been discovered and most
of the shell escape problems have been fixed. I think this bug shouldn't
be marked as grave until a real problem is given.
Anyway I wouldn't mind if we remove this package from Debian. What do
people think ?
Raphaël Hertzog -=- http://tux.u-strasbg.fr/~raphael/
<pub> CDs Debian : http://tux.u-strasbg.fr/~raphael/debian/#cd </pub>