[cosmo-dev] 0.10 security bug discovered (and fixed)
twl at osafoundation.org
Wed Dec 5 18:26:52 PST 2007
Even if we stick these in an EOD 0.11 tomorrow, we'd still need to
qualify that 0.11 which seems like it would take more time than
0.10.1. I think the real question is how comfortable Jared Rhine
feels with a hot update to hub asap.
On Dec 5, 2007, at 6:04 PM, Mikeal Rogers wrote:
> Yeah, this bad.
> I'll add an automated test for this so it won't slip through again.
> Ted said that there were only 2 bugs left in 0.11, if those are
> done by EOD tomorrow we should just stick this fix in 0.11 and not
> bother with an 0.10.1.
> I imagine you have a fix for this already. Can we patch hub tonight?
> On Dec 5, 2007, at December 5, 20075:52 PM, Brian Moseley wrote:
>> this evening I discovered a security bug in 0.10 whereby user A can
>> PUT, MKCOL and MKCALENDAR resources directly within user B's home
>> collection. I found this bug because there is a resource within my
>> home collection that I did not create. it appears that a user
>> configured his iCal to publish a webcal calendar into my home
>> collection (whose URL was given as an example in the iCal client
>> i've logged bug 11587 at
>> https://bugzilla.osafoundation.org/show_bug.cgi?id=11587>. i've
>> checked in a fix on the 0.10 branch and am about to merge it to the
>> the bug has existed since r5855, which occurred on the trunk during
>> 0.10 development. it is not present in 0.9.1 or earlier versions.
>> while fixing that bug, i also discovered bug 11588, in which Cosmo
>> returns a 500 response to GET on a 0-length resource. the fix for
>> bug is quite tiny, so I checked it into the 0.10 branch as well (and
>> will be merging it to the trunk shortly).
>> neither of these bugs is targeted. i recommend a 0.10.1 release asap.
>> cosmo-dev mailing list
>> cosmo-dev at lists.osafoundation.org
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
More information about the cosmo-dev