[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Arx-users] Arx-2.2.1 SECURITY UPGRADE
From: |
Walter Landry |
Subject: |
[Arx-users] Arx-2.2.1 SECURITY UPGRADE |
Date: |
Thu, 10 Mar 2005 22:38:44 -0500 (EST) |
Greetings,
I have made a new release of ArX. You can find it in the usual place.
http://superbeast.ucsd.edu/~landry/ArX/ArX-2.2.1.tar.gz
I have attached the release notes below. Note that this is a security
update, so everyone is urged to upgrade.
The security problem arises when building configurations. If there is
a configuration with an entry like
foo src/foo/bar
there is no guarantee that the src or src/foo directories are not
symlinks. This has been fixed by replacing the configuration
functionality with enhanced tags. The enhanced tags check for this
sort of issue.
Note that the new tag mechanism means that you only have to type
arx get http://superbeast.ucsd.edu/~landry/ArX/wlandry/arx.2.2.release
to get the latest release of ArX, and
arx merge http://superbeast.ucsd.edu/~landry/ArX/wlandry/arx.2.2.release
to update it to the next release.
Enjoy,
Walter
ArX-2.2.1 2005-Mar-6
This is a security fix release bundled with a few new features. The
security issue arises from insecure path handling when building
configurations. It has been fixed by removing the configuration
mechanism and enhancing the capabilities of "tag" so that it can take
its place.
"tag" now creates a revision that is just a symbolic name, as opposed
to a true revision. It should also run much more quickly, since it no
longer has to create a tree. Finally, it can represent a collection
of different projects in one tree, much like a configuration.
"diff" now has a --recursive option.
gpg is now much less chatty.
"make-dist" has been renamed to "export", and by default makes a
project tree, not a tarball.
"init-tree" has been renamed to "init".
The syntax for "merge" and "replay" have been cleaned up significantly.
"patch-report" now can directly inspect patches in the archive as well
as tarballs.
A bug where permissions for the public key list in the archive were
not set properly has been fixed.
A bug where environment variables for hooks were not properly set has
been fixed.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Arx-users] Arx-2.2.1 SECURITY UPGRADE,
Walter Landry <=