Re: XSS in pgstatus code

To: info@moritz-naumann.com
Cc: debian-wb-team@lists.debian.org, wbadm@buildd.debian-ports.org
Subject: Re: XSS in pgstatus code
From: Philipp Kern <pkern@debian.org>
Date: Sat, 18 Feb 2012 11:40:31 +0100
Message-id: <[🔎] 20120218104031.GA12647@spike.0x539.de>
In-reply-to: <[🔎] 4F3F79DA.4090704@moritz-naumann.com>
References: <[🔎] 4F388818.3090104@moritz-naumann.com> <[🔎] 4F39031F.1000606@debian.org> <[🔎] 4F3988D5.3010709@moritz-naumann.com> <[🔎] 20120217211231.GA2734@spike.0x539.de> <[🔎] 4F3F79DA.4090704@moritz-naumann.com>

On Sat, Feb 18, 2012 at 11:13:46AM +0100, info@moritz-naumann.com wrote:
> > RT #151 is secret, so I can't even access it.  You could've just
> > reported a bug about it publically.  (But then I acknowledge that
> > there probably wasn't an appropriate pseudo-package back then, apart
> > from the web one maybe.)
> Here's the full list of e-mail addresses who got a copy of this report
> since Aug 2007:
> rmurray[at]debian.org
> jeroen[at]wolffelaar.nl
> admin[at]rt.debian.org
> security[at]debian.org
> ftpmaster[at]ftp-master.debian.org
> owner[at]bugs.debian.org
> debian-www[at]lists.debian.org
> 
> Also, I did publish it over here in november 2008:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504608

And #506807 was cloned from it and solved.  It did not mention
/status/ though, AFAICS.  I.e. when Adeodato discovered it in the
wrong venue it was fixed.

> The intention of this e-mail is not to blame anyone, but to point out
> that there may be (or may have been) a lack of a process which is
> capable of handling such reports and ensuring that all of the following
> takes place:
> 
> * someone who is both able to and interested in maintaining the public
> facing software installation and reacts to bug reports responsibly (and
> thus in a timely fashion) exists

Please note that the public facing software installation was hosted in
a userdir.  Yes, that's bad.  The admins are now getting grumpy
whenever somebody does that.  (Rightfully so.)

> * someone who is both able to and interested in maintaining the software
>  and reacts to bug reports responsibly (and thus in a timely
>  fashion) exist> 

The status code was pretty much unmaintained for years.  That it moved
from userdir to userdir certainly didn't help.  But it has a
maintainer now.

> * such reports end up with both these roles, and both of them
> communicate with each other to ensure that after the software is fixed,
> the fix is rolled out to all installations

That's hard with unofficial services that are cloned from official
ones, FWIW.  At least as long as you can't simply update from git.

Kind regards
Philipp Kern

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- XSS in pgstatus code
  - From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
- Re: XSS in pgstatus code
  - From: Mehdi Dogguy <mehdi@debian.org>
- Re: XSS in pgstatus code
  - From: info@moritz-naumann.com
- Re: XSS in pgstatus code
  - From: Philipp Kern <pkern@debian.org>
- Re: XSS in pgstatus code
  - From: info@moritz-naumann.com

Prev by Date: Re: XSS in pgstatus code
Next by Date: Re: wanna-build deployment for derivatives?
Previous by thread: Re: XSS in pgstatus code
Next by thread: wanna-build deployment for derivatives?
Index(es):
- Date
- Thread