[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
Michael Scherer
misc at zarb.org
Tue May 24 10:17:20 CEST 2011
Le mardi 24 mai 2011 à 10:07 +0200, Thierry Vignaud a écrit :
> Hi
>
> We are currently shiping aria2-1.11.1.
>
> However latest version is 1.11.2 which slightly improve security when
> using authenticated
> media by hiding them from process viewers (ps, ...):
>
> http://sourceforge.net/news/?group_id=159897
> "The username and password specified in command-line are now masked with
> "*" immediately after parsed, so that ps cannot show username and password."
>
> Since that does not happen for most users and since we don't provide auth media,
> that's not a immediate concern, so should we update for Mageia 1?
I would keep this as a update after the release is out ( like they 4
ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since
yesterday.
So maybe we could open bugs for this ?
There is 2 proposal :
- filling them on security, and have a saved search
- creating a tracker bug
I would be in favor of the tracker bug :
- you can subscribe to it
- it will be clearer ( as bugfixes are not security so we may miss some
update to do )
- it doesn't pollute the list of saved search
But as pascal said, a tracker bug requires that each bug to be linked to
it, which is manual and error prone.
Any opinion on this ( or a 3rd proposal ) ?
--
Michael Scherer
More information about the Mageia-dev
mailing list