[Arx-users] Arx-2.2.1 SECURITY UPGRADE

arx-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Arx-users] Arx-2.2.1 SECURITY UPGRADE

From:	Walter Landry
Subject:	[Arx-users] Arx-2.2.1 SECURITY UPGRADE
Date:	Thu, 10 Mar 2005 22:38:44 -0500 (EST)

Greetings,

I have made a new release of ArX.  You can find it in the usual place.

  http://superbeast.ucsd.edu/~landry/ArX/ArX-2.2.1.tar.gz

I have attached the release notes below.  Note that this is a security
update, so everyone is urged to upgrade.

The security problem arises when building configurations.  If there is
a configuration with an entry like

  foo  src/foo/bar

there is no guarantee that the src or src/foo directories are not
symlinks.  This has been fixed by replacing the configuration
functionality with enhanced tags.  The enhanced tags check for this
sort of issue.

Note that the new tag mechanism means that you only have to type

  arx get http://superbeast.ucsd.edu/~landry/ArX/wlandry/arx.2.2.release

to get the latest release of ArX, and 

  arx merge http://superbeast.ucsd.edu/~landry/ArX/wlandry/arx.2.2.release
 
to update it to the next release.

Enjoy,
Walter


ArX-2.2.1 2005-Mar-6

This is a security fix release bundled with a few new features.  The
security issue arises from insecure path handling when building
configurations.  It has been fixed by removing the configuration
mechanism and enhancing the capabilities of "tag" so that it can take
its place.

"tag" now creates a revision that is just a symbolic name, as opposed
to a true revision.  It should also run much more quickly, since it no
longer has to create a tree.  Finally, it can represent a collection
of different projects in one tree, much like a configuration.

"diff" now has a --recursive option.

gpg is now much less chatty.

"make-dist" has been renamed to "export", and by default makes a
project tree, not a tarball.

"init-tree" has been renamed to "init".

The syntax for "merge" and "replay" have been cleaned up significantly.

"patch-report" now can directly inspect patches in the archive as well
as tarballs.

A bug where permissions for the public key list in the archive were
not set properly has been fixed.

A bug where environment variables for hooks were not properly set has
been fixed.

[Prev in Thread]

Current Thread

[Next in Thread]

[Arx-users] Arx-2.2.1 SECURITY UPGRADE, Walter Landry <=

Prev by Date: Re: [Arx-users] Arbitrary properties replace File Permissions
Next by Date: [Arx-users] More performance numbers
Previous by thread: [Arx-users] Arbitrary properties replace File Permissions
Next by thread: [Arx-users] More performance numbers
Index(es):
- Date
- Thread