[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Chad C. Walstrom
Fri, 29 Oct 2004 16:33:19 -0500
Hello, folks. Well, now that my training as a parent have been
initiated, I think it's time to put my shoulder to the grindstone.
Hans-Albert submitted a change to CVS to fix a couple buffer overflow
problems on September 6th, and we should roll these out into a new
release of gnats sooner than later. An optimistic goal is to have a
release ready to roll out by Monday. If you have patches or fixes you
would like incorporated, please let me know ASAP.
Things I still plan on rolling in for the 4.1 release:
* NEWS: Summarize changes and important security fixes
* A note in the compilation documentation that bison version 1.35 or
earlier is required to rebuild getdate.c.
(Is there anyone versed in using bison to update the getdate.y file
to use bison 1.875?)
* install-sid: Either remove or update so that a separate
configuration (sh) file is generated rather than editing send-pr.
- Source a configuration (sh) file (i.e. /etc/gnats/send-pr.conf)
and $HOME/.send-pr.conf to override default environment variables
- Remove or update references/error messages regarding install-sid
* debian/...: Roll in changes from current debian package
I'm going to hold off on the PAM patch for just a while longer. Pankaj,
do you think it would be possible to add a cautionary note in gnats.texi
regarding the security problems in exposing the PAM to GNATS
authentictation (i.e. plain-text network protocol sniffing)? For
example, we should suggest that administrators not authenticate system
accounts through GNATS. Rather, give suggestions for using other PAM
modules to authenticate against alternate passwd or db format files.
(Is it possible to blacklist pam modules for use w/gnats?)
Once we get a gnutls layer incorporated into the gnats daemon and
libraries, we could update our suggestions to be more permissive.
Note: I do have to purchase and install a new power supply for my
workstation at home, but I hope to have it up and running later tonight.
Chad Walstrom <address@hidden>
- Preparing 4.1...,
Chad C. Walstrom <=