[HCoop-Discuss] subversion-hooks security hole?
Adam Chlipala
adamc at hcoop.net
Fri Dec 8 18:44:53 EST 2006
Daniel S. Wilkerson wrote:
>I made a real attempt to find a discussion of this issue in the
>hcoop-discuss archives, but there is no search for them and the Google
>site:hcoop.net search, while yielding some relevant emails, leaves
>something to be desired.
>
>
You can find the whole discussion starting here:
http://hcoop.net/pipermail/hcoop-discuss/2006-November/000561.html
>1 - What is the real security threat here? Can people really get to my
>data or my subversion server if I had one? Do other bad things?
>
>
It is essential to be able to figure out which member is responsible for
any security hole. This means that we can't let users run programs as
other users. This issue let people do that, and that's all we need to
label it as a security hole.
>If there is a real threat and it cannot be fixed, it seems that we
>should shut off subversion hooks until it can be fixed.
>
>
I'm not sure if it came up in that thread, but we did shut off Apache
Subversion support shortly after the problem was discovered.
More information about the HCoop-Discuss
mailing list