[Babel-users] ANNOUNCE: babelweb-0.2.2
Gabriel Kerneis
kerneis at pps.jussieu.fr
Wed Aug 31 10:14:14 UTC 2011
Dear all,
On Mon, Aug 29, 2011 at 10:55:58AM +0200, Gabriel Kerneis wrote:
> Babelweb-0.2.2 is available
> This minor release fixes a security bug: babelweb would accept to run as
> root when no username was provided to drop priviledges.
Julien Cristau kindly pointed out that this release contains yet another
security issue: group privileges are not dropped properly. I worked on a fix,
which involves a bit of C++ code because nodejs lacks bindings to handle
supplementary groups:
https://github.com/kerneis/babelweb/commits/hotfix-0.2.3
This branch hopefully fixes the bug but I don't want to make the same mistake
twice, releasing in a hurry and forgetting something important. I'd be glad if
some of you could have a look, in particular at the following commit:
https://github.com/kerneis/babelweb/commit/7194372fdaf1abed8ee6ce5f4a2f08e12d7c3e64
If everything looks fine, I'll make a 0.2.3 release in a few days. Meanwhile,
avoid running babelweb as root.
Best,
--
Gabriel Kerneis
More information about the Babel-users
mailing list