ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <>
Subject Re: cvs commit: ant/src/main/org/apache/tools/ant/taskdefs/optional/clearcase
Date Tue, 15 Apr 2003 03:49:07 GMT

----- Original Message -----
From: "Magesh Umasankar" <>
To: "Ant Developers List" <>
Sent: Monday, April 14, 2003 17:35
Subject: Re: cvs commit:

> Point taken.
> In the future, if it will help, I will attach the actual diff
> that was used to patch to the bug report, before marking it as
> fixed.
> Cheers,
> Magesh

no, I wasnt expecting any changes -ant isnt a security issue, its more an
observation that we have a loophole in the process, one that matters more
where you have

-complex code that doesnt get looked at often
-network accessible
-widely deployed.

Something like Axis or Tomcate would be vulnerable here, if not to anyone
malicious, then to someone planning to write a paper titled 'process
failures in open source security' on how they added a back door & how long
it took for someone reading the code to find it.

But I wont, because so many people do use these things it'd be
irresponsible, 'cept maybe for an easter-egg-class of back door.


View raw message