Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Did SuSE hack mirror?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 5 Dec 2001 23:21:12 +0100 (MET)
  • Message-id: <Pine.LNX.4.33.0112052316570.1203-100000@xxxxxxxxxxxx>
> > Maybe the package changelog?
> >
> > rpm -q --changelog mirror
> Thanks Lenz.

If the (binary) package doesn't have a long changelog history, then the
source rpm has. In doubt, see the spec file (available at
/usr/src/packages/SPECS after installing the source rpm).

> And that changelog doesn't mention the hack either. The only related
> information is:
> - added change against ".." in pathnames provided from remote,
> mirror-2.9.name_map-default.dif (against mirror.defaults).

The fashion that changelogs are made with has increased in quality lately,
and it will continue to do so in the future.

> But this is a standard patch and is done in the right place (IMHO):
> mirror.defaults.

I agree that the patch added fixes a security problem at the wrong end. It
was my opinion, too, long before I came to SuSE (Security).

But since nobody complained in three years and since such files with
obnoxious names don't really need to be placed on a tidy ftp server, I
currently see no reason to change it back.

> Simon Oliver

- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -

< Previous Next >