Your message dated Sat, 21 Aug 2010 23:59:13 -0700
with message-id <[email protected]>
and subject line Re: only limited security support for ocsinventory-server and
sql-ledger
has caused the Debian Bug report #559453,
regarding only limited security support for ocsinventory-server and sql-ledger
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559453
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release-notes
Severity: important
Hi
Please indicate that the packages ocsinventory-server and sql-ledger
only receive limited security support, because they should only be used
behind authenticated HTTP zones. For sql-ledger, this is true for etch,
lenny and squeeze and for ocsinventory-server this affects lenny and
squeeze. A note just like for the mozilla stuff should suffice.
Thanks in advance.
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Fixed for the lenny and squeeze release notes with the following patch:
=== modified file 'en/issues.dbk'
--- en/issues.dbk 2009-08-22 22:14:09 +0000
+++ en/issues.dbk 2010-08-22 06:58:26 +0000
@@ -493,6 +493,23 @@
</para>
</section>
+<section id="webservice-security">
+<title>Security status of OCS Inventory and SQL-Ledger</title>
+<para>
+<indexterm><primary>OCS Inventory</primary></indexterm>
+<indexterm><primary>SQL-Ledger</primary></indexterm>
+The webservice packages <systemitem
+role="package">ocsinventory-server</systemitem> and <systemitem
+role="package">sql-ledger</systemitem> are included in the &releasename;
+release but have special security requirements that users should be aware of
+before deploying them. These two webservices are designed for deployment
+only behind an authenticated HTTP zone and should never be made available to
+untrusted users; and therefore they receive only limited security support
+from the Debian security team. Users should therefore take particular care
+when evaluating who to grant access to these services.
+</para>
+</section>
+
<section id="kde-desktop-changes">
<title>KDE desktop</title>
<para>
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
signature.asc
Description: Digital signature
--- End Message ---
