[Pkg-monitoring-maintainers] Bug#702775: ganglia: limiting security support
Daniel Pocock
daniel at pocock.com.au
Mon May 27 16:56:25 UTC 2013
On 27/05/13 18:41, Salvatore Bonaccorso wrote:
> Hi Daniel, hi Stuart
>
> On Mon, Mar 11, 2013 at 11:34:49AM +0100, Raphael Geissert wrote:
>> Package: ganglia
>> Version: 3.3.8-1
>> Severity: grave
>> Tags: security
>> Control: clone -1 -2
>> Control: reassign -2 src:ganglia-web 3.5.2-1
>> X-Debbugs-cc: team at security.debian.org
>>
>> Hi again,
>>
>> Given the recent issues in Ganglia's web frontend and a review of some
>> portions of the code we, as in the security team, have decided to
>> limit ganglia's security support to installations behind a trusted
>> HTTP zone.
>> Any vulnerability that is only relevant when exposing ganglia's web
>> frontend to a non-secure zone will therefore be treated as a non-issue
>> by the security team. They could still be fixed via a SPU, however.
>>
>> As such, please add a README.Debian.security file briefly mentioning
>> the limited security support, effective for the version in wheezy and
>> newer.
>
> Looks the changes from 3.3.8-1+nmu1 got lost with the recent upload.
> Could you please re-add back the debian/README.Debian.security file
> describing the limited support?
>
> See, #702775.
I'd like to understand this a little better
Is this a general strategy for multiple PHP packages now, or a special
case just for Ganglia?
If it's relevant, is the security team aware of the number of public
installations that are easily found with a Google search?
Sample search query: "ganglia" "cluster report"
with the quotes
Some are even promoted more publicly:
http://ganglia.wikimedia.org/
The recent decision to split the upstream web/ source tree into a
standalone source package should ease the process for NMUs, as it means
somebody patching the web code doesn't have to worry about the rest of
the binary packages, autotools or anything else like that. I realise
this doesn't address all your concerns but I hope it is helpful, today's
upload is the first upload using the new upstream source layout.
Regards,
Daniel
More information about the Pkg-monitoring-maintainers
mailing list