[Pkg-monitoring-maintainers] Bug#760372: Bug#760372: Bug#760372: loganalyzer: CVE-2014-6070
Daniel Pocock
daniel at pocock.pro
Wed Sep 3 12:05:53 UTC 2014
On 03/09/14 13:15, Rainer Gerhards wrote:
> Andre just went to vacation, but to the best of my knowledge he worked
> with the reporter and has released a new version to address this issue.
Thanks for the feedback
Salvatore, I'd prefer to update the package closer to the freeze and
roll up any other changes in a single release.
People should not be making LogAnalyzer available to the world,
especially without additional access controls (HTTP authentication) so
that provides some protection against flaws that do exist in this product.
How would the security team feel if this package was classified in a
similar way to the ganglia-web package, e.g. security alerts are not RC
bugs and users advised to protect the URL with the webserver?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-monitoring-maintainers/attachments/20140903/596b8102/attachment.html>
More information about the Pkg-monitoring-maintainers
mailing list