[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: XSS in pgstatus code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Philipp,

On 17.02.2012 22:12 Philipp Kern wrote:
> On Mon, Feb 13, 2012 at 11:04:05PM +0100, info@moritz-naumann.com wrote:
>> For what it's worth, I first reported this in July 2007 and repeatedly
>> since then, to various contacts, also including other issues. See also
>> rt.debian.org ticket #151. I do know Debian is all volunteer run. Still,
>> also because of the good work the security teams are doing,
>> I had hoped for a better responsiveness (this is 4,5 years now) to such
>> issues.
> 
> I think it's no secret that we were low on manpower back then.  It never
> landed on my desk since I joined that part of the project in 2009.

thanks for providing this explanation. This may mean that other people
who were trying to report such issues made similar experiences to me,
and that, if the manpower situation is less problematic now, it may be
worth searching the web or other available resources (such as RT) for
similar reports which were insufficiently handled during this time (and
may still apply now).

> Also you said in your mail that you "just" came across this issue.

That's right. When I said this I did not remember that I had previously
reported it (I remembered this only after sending this year's first
e-mail on this topic), since I had given up on finding anyone who feels
responsible back in 2008.

> RT #151 is secret, so I can't even access it.  You could've just
> reported a bug about it publically.  (But then I acknowledge that
> there probably wasn't an appropriate pseudo-package back then, apart
> from the web one maybe.)

Here's the full list of e-mail addresses who got a copy of this report
since Aug 2007:
rmurray[at]debian.org
jeroen[at]wolffelaar.nl
admin[at]rt.debian.org
security[at]debian.org
ftpmaster[at]ftp-master.debian.org
owner[at]bugs.debian.org
debian-www[at]lists.debian.org

Also, I did publish it over here in november 2008:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504608

The intention of this e-mail is not to blame anyone, but to point out
that there may be (or may have been) a lack of a process which is
capable of handling such reports and ensuring that all of the following
takes place:

* someone who is both able to and interested in maintaining the public
facing software installation and reacts to bug reports responsibly (and
thus in a timely fashion) exists

* someone who is both able to and interested in maintaining the software
 and reacts to bug reports responsibly (and thus in a timely fashion) exists

* such reports end up with both these roles, and both of them
communicate with each other to ensure that after the software is fixed,
the fix is rolled out to all installations

Apparently this is less of a concern (or even none) now, at least in the
case of buildd bugs, which I am glad to recognize.

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPP3nLAAoJEL2W7K2TRQCwH54QAKhjT1eNd8kyzfu5yRJ8lk1G
QEHMvshBu02HZFLo2Kj6rf9lNxfsyTn4ludI1VSfg0+ar5CJcBhqr6sM3pFGAlnr
coJdvfCsQKGGWDTNbzMCKX90T586VwWDVA0gkMg/n2uYKRCfVXF3l9b5R/IKcyaL
HEfjzU/ekNiApTnSCKnZ+Tiktg8OfDwxj+j/C9nmTqG72hDuQOlb59AclMQy+jZI
7uSyZW3jxipgn71Mur7DnLf2JrxFgItJp9ivECNWtLMOWTFY1kJVnQsdcpiCk6xx
AQkg6JWqLdkUcqxGGMyLlzdqqXXMOiXABGwfNdbl1LstQtVsG79ar837JfHLplwS
lZ6uiRO/vDlzv9FvUUgqTgGeJw11JkJAyefFF2rlIZZ5toYGQjslgmOznwK0LnHz
xMZo4lrSHCnsCd/BRchSCk9vOrtGvhO9nzYAjUzYfHg0QREkR/RdHxc/gHxOTC2w
4dCgnjvyv/2up2tXaupiqPfZ+k2YnArfTPDm17KBIohhWB8epHMmKI2AtqDTAHUp
6ieqU9k+6UgLCMMzc+TnZOBu965m7tGmNL9F4yinY2f+1hJO1yTtRBozQSEzrmsU
o8/B4y1GDbIyWcvcVrueTd56AbXNIEwe+ie4wIKIV2Fw8kQaQFm44B+giumlL5u+
6Wmb3BboZI9f+iZ1w/kH
=W2yl
-----END PGP SIGNATURE-----
Reply to: