[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xinetd
Subject:    Re: xinetd 2.3.7
From:       Steve G <linux_4ever () yahoo ! com>
Date:       2002-08-13 0:27:57
[Download RAW message or body]

Hello All,

I think that 2.3.8 needs to follow quickly, too. I've
been working on the redirect code and it seems to be
in bad shape, too. Its a shame that we couldn't get
both fixes into this release. I've still got more
fixes in the pipeline for the whole confparser...we
need to just coordinate the release of 2.3.8.

I don't think the bug that forced 2.3.7's release is
as serious as it first seems. (Not that it shouldn't
be fixed...don't get me wrong.) First, no admin should
be running an untrusted app on his server. Second,
xinetd.conf and related files should be owned by root.
If not, game over. Second, just by simply upgrading
from 2.3.5 to 2.3.6 or 2.3.7 (if it doesn't include
any of my patches), your redirected services will stop
working. So, which is worse? Something that causes
working services to stop, or a security concern for an
untrusted app? 

I had better not see this on bugtraq either because an
admin has to change his config to cause a problem, its
not remotely exploitable. I quietly fixed worse
problems than this in the 2.3.6 release.

We should have a little rational thought and
discussion that preceeds releases and not just
knee-jerk reactions. Not all of Solar Designer's
changes are imperative. For example, the changes in
nv_find_value() are preferential changes just because
he likes char pointers more than arrays. Both ways
work...its just style. I hate to cause too many
upgrades in a row because it looks like there's a
bigger problem than just uncoordinated releases, but
the redirect issue is a worse problem.

Cheers,
-Steve Grubb

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
[prev in list] [next in list] [prev in thread] [next in thread]