On Mon, Apr 08, 2002 at 10:36:31AM -0400, Bruce R. Lewis wrote: > A recent message on debian-devel-announce shows cgiemail having been > removed from the upcoming release. > > Has the buffer overflow fix for cgicso been checked in? If not, one > option is to remove cgicso entirely, as it is really not useful except > at MIT, and its existence probably confuses some people. > > As for the script-reading vulnerability, why not just have cgiemail and > cgiecho not echo back the message sent at all; just say "a message was > sent" or somesuch. Seems like a quick fix is needed if cgiemail is to > be included in woody.
Better fixes are available, though. I'd forgotten that the last message in this bug left it up to me to test them ... I'll have a look today or tomorrow and see if we can get this sorted. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]