On Feb 16, 2007, at 8:34 AM, Robin Elfrink wrote:
OK, committed.
and the Trac page was updated --
02/16/07 08:39:13: Modified by robin
* status changed from new to closed. * resolution set to fixed.
Fixed in SVN revision 482.
Was the fix incorporated into the "roundcube_webmail_0.1-
beta2.2.tar.gz" file in the downloads section ?
That way, new users won't have to patch the vulnerability right from
the first install.
Should there be a "roundcube_webmail_0.1-beta2.3.tar.gz" download
with the fix instead ?
Also, the "latest" nightly SVN at http://sourceforge.net/project/showfiles.php?group_id=139281 is from January, so I assume the fix isn't there ?
Shouldn't a new SVN snapshot be pushed out with the fix ? Besides the "Unofficial" one at <http://www.flosoft.biz/roundcube/ roundcube-rev495.tar.gz> ?
I think it is great that the last two vulnerabilities were patched
very quickly. However, it seems most of the developers assume that
all users check out the latest SVN every day and run that in
production. Fixing a vulnerability in SVN is a great first step, but
letting your users know the update exists ( no mention about this in
the "News" on the home page ) and providing at least one way to get
at the fix without checking out SVN is prudent, IMHO.
I realize that the priority development focus of RoundCube is to move
toward 1.0 ( or even beta3 ), but I think project developers should
be a bit more attentive to getting vulnerabilities fixed for all user
installs, not just bleeding edge SVN users.
Thanks,
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265