micahg | dhx1: I take it the bug you filed is already public elsewhere? | 00:09 |
---|---|---|
micahg | dhx1: nm, I see the links, thanks for the bug, I"ll try to push this through | 00:23 |
micahg | dhx1: actually, our default is to disable the admin dir from being web accessible, so I guess I won't rush on this, but I still appreciate the bgu | 00:30 |
micahg | *bug | 00:30 |
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 240 seconds) | 01:31 | |
dhx1 | micahg: thanks for the quick response | 02:06 |
micahg | dhx1: np, thank you for letting us know :) | 02:07 |
dhx1 | micahg: for the future, does it make sense to file bugs with both Debian and Ubuntu? | 02:07 |
micahg | dhx1: if it's urgent, yes, otherwise, just file with Debian and feel free to subscribe me | 02:08 |
dhx1 | micahg: ok, thanks :) | 02:08 |
micahg | If the maintainer doesn't get to it by the weekend for Debian, I'll attach a debdiff to the bug | 02:09 |
dhx1 | from what you've said it sounds like the admin/ directory is disabled by default anyway which would solve the issue | 02:09 |
micahg | I actually need to apply a whole bunch of patches to mantis in Ubuntu | 02:09 |
dhx1 | micahg: the problem is that MantisBT 1.1.x is vastly different from 1.2.x and I know for certain that there are probably 30 XSS vulnerabilities unpatched in 1.1.x | 02:10 |
micahg | yes, it's unfortunate, I wish I had time to help the Debian maintainer package 1.2.x | 02:11 |
dhx1 | sorry, CSRF protection is the major security change between versions (1.2.x is comprehensive, 1.1.x isn't) | 02:11 |
dhx1 | yep | 02:11 |
dhx1 | but at the end of the day LFI is severe whereas XSS/CSRF are not as important for most MantisBT users | 02:11 |
dhx1 | there is just too much work involved in reauditing 1.1.x and fixing all the bugs it contains | 02:11 |
micahg | dhx1: no, I understand, you have limited resources | 02:12 |
dhx1 | + it doesn't include newer HTTP security features, etc | 02:12 |
dhx1 | for things which are easy to backport I'll try to do it (or very severe issues like LFI) | 02:12 |
micahg | well, we're stuck with 1.1.x in Lucid until Apr 2013, if 1.2.x ever gets packaged, we can definitely backport it | 02:13 |
dhx1 | micahg: so I take it the delay is that Debian hasn't put 1.2.x into their unstable branch? | 02:15 |
dhx1 | (I'm not too familiar with the Debian process) | 02:15 |
micahg | dhx1: yes, well, they could upload it to experimental, but I don't know if any work has gone into it lately, last update was July :( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575347 | 02:17 |
micahg | I'll send an e-mail to the Debian maintainers and ask about it | 02:19 |
dhx1 | micahg: hmmm a dependency on apache2 (in the supplied package script) looks odd... does Debian/Ubuntu essentially force you to use one HTTP server (Apache) for web packages? | 02:19 |
* micahg checks | 02:20 | |
micahg | dhx1: nope, just a sane default, any webserver that provides httpd will work | 02:20 |
dhx1 | ah ok it must have just been a bad user supplied script | 02:21 |
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino) | 02:28 | |
*** Joins: Github (~Github@sh1-ext.rs.github.com) | 02:30 | |
Github | mantisbt: master David Hicks * 974e6da (1 files in 1 dirs): Fix #12607: LFI/PD/XSS in upgrade_unattended.php ... | 02:30 |
Github | mantisbt: master David Hicks * 065c99c (1 files in 1 dirs): Fix #12607: Update installation instructions regarding admin directory ... | 02:30 |
Github | mantisbt: master David Hicks * 970630a (1 files in 1 dirs): Fix #12607: Improve admin directory check on login_page ... | 02:30 |
Github | mantisbt: master David Hicks * 99deb81 (1 files in 1 dirs): Move admin access check to top of test_langs script ... | 02:30 |
Github | mantisbt: master commits 184a0f4...99deb81 - http://bit.ly/f0AfjX | 02:30 |
*** Parts: Github (~Github@sh1-ext.rs.github.com) | 02:30 | |
*** Joins: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) | 02:50 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) | 03:50 | |
*** Joins: paulr (~a@212.85.5.19) | 04:04 | |
*** Joins: giallu (~giallu@fedora/giallu) | 04:07 | |
*** Joins: kirillka (~Miranda@195.242.142.17) | 04:53 | |
*** Joins: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl) | 04:58 | |
*** Quits: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) (Read error: Connection reset by peer) | 05:02 | |
*** Joins: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) | 05:03 | |
*** Joins: rolfkleef (~rolf@134.219.144.224) | 06:05 | |
*** Quits: rolfkleef (~rolf@134.219.144.224) (Disconnected by services) | 06:41 | |
*** Joins: rolfkleef1 (~rolf@134.219.217.112) | 06:41 | |
*** Joins: rolfkleef (~rolf@134.219.217.112) | 06:43 | |
*** Quits: rolfkleef1 (~rolf@134.219.217.112) (Read error: Connection reset by peer) | 06:43 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Ping timeout: 260 seconds) | 07:18 | |
*** Quits: rolfkleef (~rolf@134.219.217.112) (Quit: Leaving.) | 07:55 | |
*** Joins: rolfkleef (~rolf@134.219.217.112) | 07:55 | |
*** Quits: rolfkleef (~rolf@134.219.217.112) (Read error: Connection reset by peer) | 07:59 | |
*** Joins: rolfkleef (~rolf@134.219.217.112) | 07:59 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) | 08:01 | |
*** Quits: rolfkleef (~rolf@134.219.217.112) (Read error: Operation timed out) | 08:02 | |
*** Joins: rolfkleef (~rolf@134.219.217.112) | 08:32 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Read error: Connection reset by peer) | 08:42 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) | 08:42 | |
*** Joins: rolfkleef1 (~rolf@134.219.144.224) | 08:53 | |
*** Quits: rolfkleef (~rolf@134.219.217.112) (Disconnected by services) | 08:53 | |
*** Quits: kirillka (~Miranda@195.242.142.17) (Quit: kirillka) | 10:02 | |
*** Joins: hanoii (~ariel@190.247.86.232) | 10:07 | |
hanoii | Even though $g_email_receive_own is default to OFF, why I am getting email notifications on relationship changes I enter (only with that)? | 10:08 |
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...) | 11:04 | |
*** Quits: hanoii (~ariel@190.247.86.232) (Quit: Leaving) | 11:06 | |
*** Joins: mantisbt_02950 (5b7c1a5a@gateway/web/freenode/ip.91.124.26.90) | 11:15 | |
*** Quits: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) (Quit: Rixie) | 12:00 | |
*** Quits: paulr (~a@212.85.5.19) () | 12:03 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 250 seconds) | 12:04 | |
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 264 seconds) | 12:13 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]) | 12:13 | |
*** Joins: daryn (~daryn@h158.249.190.173.static.ip.windstream.net) | 12:34 | |
*** Joins: moto-moi (~hylke@2001:888:13e4:0:21f:e2ff:fe0c:ce28) | 12:37 | |
*** Joins: LiquidWorm (~jox@92.53.11.102) | 12:37 | |
*** Quits: mantisbt_02950 (5b7c1a5a@gateway/web/freenode/ip.91.124.26.90) (Quit: Page closed) | 12:38 | |
*** Joins: micahg (~micah@ubuntu/member/micahg) | 13:06 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 264 seconds) | 13:33 | |
*** Joins: giallu (~giallu@fedora/giallu) | 13:46 | |
*** Joins: flg (~flg@adsl-84-226-4-242.adslplus.ch) | 13:56 | |
flg | hi all | 13:56 |
flg | is ticket escalation possible somehow? | 13:56 |
*** Joins: micahg (~micah@ubuntu/member/micahg) | 15:05 | |
*** Joins: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) | 16:18 | |
*** Quits: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) (Read error: Connection reset by peer) | 16:42 | |
*** Quits: moto-moi (~hylke@2001:888:13e4:0:21f:e2ff:fe0c:ce28) (Ping timeout: 260 seconds) | 18:35 | |
*** Joins: thraxisp (~thraxisp@24.139.16.154) | 18:59 | |
*** Quits: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection) | 19:00 | |
*** Joins: paulr (~IceChat09@cpc1-enfi9-0-0-cust389.hari.cable.virginmedia.com) | 19:00 | |
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) | 19:00 | |
*** Quits: paulr (~IceChat09@cpc1-enfi9-0-0-cust389.hari.cable.virginmedia.com) (Client Quit) | 19:04 | |
flg | is ticket escalation possible somehow? | 19:39 |
*** Quits: rolfkleef1 (~rolf@134.219.144.224) (Read error: Connection reset by peer) | 19:49 | |
*** Joins: rolfkleef (~rolf@134.219.144.224) | 19:51 | |
flg | nevermind, found my answers i think... | 19:53 |
flg | roadmap... filters... | 19:53 |
flg | ? :) | 19:54 |
*** Quits: rolfkleef (~rolf@134.219.144.224) (Ping timeout: 276 seconds) | 19:56 | |
*** Quits: LiquidWorm (~jox@92.53.11.102) (Read error: Connection reset by peer) | 20:06 | |
*** Joins: LiquidWorm (~jox@92.53.11.102) | 20:11 | |
*** Quits: flg (~flg@adsl-84-226-4-242.adslplus.ch) (Quit: Leaving) | 20:53 | |
*** Quits: LiquidWorm (~jox@92.53.11.102) () | 20:55 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Read error: Operation timed out) | 23:33 |
Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!