savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] ViewVC 1.1.26


From: Jeffrey Walton
Subject: Re: [Savannah-hackers-public] ViewVC 1.1.26
Date: Mon, 17 Aug 2020 10:48:05 -0400

On Mon, Aug 17, 2020 at 10:33 AM Amin Bandali <bandali@gnu.org> wrote:
>
> Jeffrey Walton writes:
>
> > The Savannah website uses ViewVC 1.1.26. It looks like ViewVC is a
> > couple of years out of date.
> >
> > The latest versions are 1.2.1 and 1.1.28. 
> > https://github.com/viewvc/viewvc/tags
>
> The Savannah server running viewvc installs the viewvc package from the
> repositories of the distro it uses, which is almost always a few
> versions behind the latest upstream.  We don't typically build and
> install software from source (as opposed to available distro package),
> unless there is a very good reason to do so.

It seems like running old software is fairly toxic. We know server
comprimises most often occur due to stale software. Specifically,
software that is out of date by 30 days or more.

ViewVC has fixed at least two vulnerabilities since 1.1.26.

GNU server compromise has happened in the past:
https://news.slashdot.org/story/10/11/30/2134203/gnu-savannah-site-compromised.
Whatever patch model is being used, it is not working. Learn from the
past mistakes.

Jeff



reply via email to

[Prev in Thread] Current Thread [Next in Thread]