[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] ViewVC 1.1.26
From: |
Jeffrey Walton |
Subject: |
Re: [Savannah-hackers-public] ViewVC 1.1.26 |
Date: |
Mon, 17 Aug 2020 10:48:05 -0400 |
On Mon, Aug 17, 2020 at 10:33 AM Amin Bandali <bandali@gnu.org> wrote:
>
> Jeffrey Walton writes:
>
> > The Savannah website uses ViewVC 1.1.26. It looks like ViewVC is a
> > couple of years out of date.
> >
> > The latest versions are 1.2.1 and 1.1.28.
> > https://github.com/viewvc/viewvc/tags
>
> The Savannah server running viewvc installs the viewvc package from the
> repositories of the distro it uses, which is almost always a few
> versions behind the latest upstream. We don't typically build and
> install software from source (as opposed to available distro package),
> unless there is a very good reason to do so.
It seems like running old software is fairly toxic. We know server
comprimises most often occur due to stale software. Specifically,
software that is out of date by 30 days or more.
ViewVC has fixed at least two vulnerabilities since 1.1.26.
GNU server compromise has happened in the past:
https://news.slashdot.org/story/10/11/30/2134203/gnu-savannah-site-compromised.
Whatever patch model is being used, it is not working. Learn from the
past mistakes.
Jeff