[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?

Michael Scherer misc at zarb.org
Tue May 24 10:17:20 CEST 2011


Le mardi 24 mai 2011 à 10:07 +0200, Thierry Vignaud a écrit :
> Hi
> 
> We are currently shiping aria2-1.11.1.
> 
> However latest version is 1.11.2 which slightly improve security when
> using authenticated
> media by hiding them from process viewers (ps, ...):
> 
> http://sourceforge.net/news/?group_id=159897
> "The username and password specified in command-line are now masked with
> "*" immediately after parsed, so that ps cannot show username and password."
> 
> Since that does not happen for most users and since we don't provide auth media,
> that's not a immediate concern, so should we update for Mageia 1?

I would keep this as a update after the release is out ( like they 4
ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since
yesterday. 

So maybe we could open bugs for this ?

There is 2 proposal :
- filling them on security, and have a saved search 
- creating a tracker bug 

I would be in favor of the tracker bug :
- you can subscribe to it
- it will be clearer ( as bugfixes are not security so we may miss some
update to do )
- it doesn't pollute the list of saved search

But as pascal said, a tracker bug requires that each bug to be linked to
it, which is manual and error prone.

Any opinion on this ( or a 3rd proposal ) ?

-- 
Michael Scherer



More information about the Mageia-dev mailing list