A while ago I tried to run bugzilla in a chroot jail using thttpd (apache no
longer supports chroot'ing, it seems). I got it somewhat working, but I gave
up and went to bugrat, for better or worse.
I think if you can chroot (and run unprivledged) bugzilla, this greatly
minimizes any security implications you've seen. Without chrooting and
running as an unprivledged user, bugzilla is not only insecure, it's
insecurable.
> on 5/3/01 11:42 AM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
>
>> http://nagoya.apache.org/bugzilla/
>
> <http://nagoya.apache.org/bugzilla/globals.pl>
>
> When is someone going to secure that box?
>
> This is really pitiful that this has been open like this for this long
> now and on top of it, it is running an old version of bugzilla (2.10
> and 2.12 is latest). There have been security advisories regarding the
> recent holes discovered in Bugzilla and no one managing nagoya has
> taken care of the situation.
>
> I don't think we (the ASF) should give out apache.org domains to boxes
> that are not being managed properly. I also don't think that we should
> rely on a box as our primary issue tracking system if security is also
> not going to be taken seriously.
>
> thanks,
>
> -jon
--
Nick Bauman
Software Developer
3023 Lynn #22
Minneapolis, MN
55416
Mobile Phone: (612) 810-7406
