We should probably do something about this.
I don't think jakarta-commons-sandbox matters much as far as this is
concerned. Any problems created there should be detected when moving that
stuff into jakarta-commons proper, so maybe we could just call that "clean"
or "not relevant"?
For jakarta-commons, I guess should we handle this on a per-component basis
and then report back up when we're all done? I couldn't begin to tell you
which changes to Cactus are the right ones, for example.
I'm pretty sure http-client and collections are clean since I've been using
rather recent versions of both on a daily basis, but to be honest I haven't
done a manual diff against the "pre-hack" directories.
-----Original Message-----
From: Brian Behlendorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 19, 2001 8:17 PM
Subject: final roundup of security audit of source code
According to http://www.apache.org/info/20010519-hack.html, the following
CVS modules have still not yet been audited conclusively:
httpd-win32-msi
jakarta-alexandria
jakarta-commons
jakarta-commons-sandbox
jakarta-slide
jakarta-taglibs
jakarta-tomcat-jasper
jakarta-tomcat-site
jakarta-tools
jakarta-turbine-jyve
jakarta-turbine-orgami
tcl-core
xml-admin
xml-axis
xml-cocoon (in progress)
xml-core
xml-site
xml-xalan (Xalan-J 1.x project - inactive,
could be removed?)
xml-xalan\c
xml-xalan\java DTM_EXP branch ???
If people within these groups could make a concerted effort to check these
over so we can close this out, I'd appreciate it. That way I can remove
the /home/cvs-prehack dir, modify the news blurb on the front page, etc.
We are also pulling some backups to restore a directory that was
accidentally removed (unrelated to the hack) from an older backup, so if
we need to get other files, now would be a good time.
Thanks!
Brian
