I normally don't relay security announces for GForge or FusionForge on this blog, but I will make an exception this time: Alain Peyrat found several places in the code with insufficient input sanitizing, which can cause cross-site scripting vulnerabilities (CVE-2009-3303). It's been fixed in the 4.7 and 4.8 branches as well as the trunk of FusionForge (and in Debian Sid and Squeeze), and updated Debian packages for GForge 4.5 and 4.7rc2 have been released for users of the Etch and Lenny distributions.
The reason I make an exception for announcing this here is to remind people that I appear to be the only one maintaining code for GForge 4.5. I do that for two reasons: first, because I'm the maintainer of the package in Debian, and Debian Etch has GForge 4.5, and Etch is supported for security fixes; second, because I also admin/maintain an instance for a client of mine, so I need to backport the fixes anyway, and making them public is no bother. Both of these reasons are going to vanish sometime in the not too distant future: security support for Etch will end in February, 2010, and I hope to have migrated my client's forge to FusionForge 4.8 by then too. A direct consequence is that I will probably stop maintenance for GForge 4.5 in the coming months (at least I'll stop doing it in my free time).
So if you're still using GForge 4.5, you should really consider upgrading to something supported, either GForge AS (free download from the GForge Group) or FusionForge (free as in Free Software). Both have an upgrade path. Obviously I think FusionForge is a better choice, but my position is probably biased.
Posted Sat 21 Nov 2009 18:15:03 CETNote pour plus tard : quand à la suite de circonstances indépendantes de sa volonté on se retrouve avec une moto neuve, on a du rodage à faire. Au début, on va donc doucement, mais ensuite, on peut avoir l'impression de continuer à aller doucement, même quand on ne se limite plus aux plages de régime autorisées pendant les quelques premières centaines de kilomètres. Il convient donc, quand on retourne chez le gentil concessionnaire pour faire faire la révision de fin de rodage, de lui demander gentiment de vérifier s'il n'aurait pas malencontreusement omis d'enlever le bridage « jeunes permis » lors de la livraison de la moto.
Ce week-end, j'ai donc testé mon nouveau nouveau moteur. Et force est de constater que 85 chevaux, c'est mieux que 34. Quand en plus la route est belle et que la montagne d'automne est multicolore gris-vert-jaune-rouge…
Posted Sun 15 Nov 2009 22:35:04 CET