[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?

Tue May 24 10:17:20 CEST 2011

Le mardi 24 mai 2011 à 10:07 +0200, Thierry Vignaud a écrit :
+> Hi
+> 
+> We are currently shiping aria2-1.11.1.
+> 
+> However latest version is 1.11.2 which slightly improve security when
+> using authenticated
+> media by hiding them from process viewers (ps, ...):
+> 
+> http://sourceforge.net/news/?group_id=159897
+> "The username and password specified in command-line are now masked with
+> "*" immediately after parsed, so that ps cannot show username and password."
+> 
+> Since that does not happen for most users and since we don't provide auth media,
+> that's not a immediate concern, so should we update for Mageia 1?
+
+I would keep this as a update after the release is out ( like they 4
+ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since
+yesterday. 
+
+So maybe we could open bugs for this ?
+
+There is 2 proposal :
+- filling them on security, and have a saved search 
+- creating a tracker bug 
+
+I would be in favor of the tracker bug :
+- you can subscribe to it
+- it will be clearer ( as bugfixes are not security so we may miss some
+update to do )
+- it doesn't pollute the list of saved search
+
+But as pascal said, a tracker bug requires that each bug to be linked to
+it, which is manual and error prone.
+
+Any opinion on this ( or a 3rd proposal ) ?
+
+-- 
+Michael Scherer
+
+