lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030818185700.GA798@complete.org>
Date: Mon, 18 Aug 2003 13:57:00 -0500
From: John Goerzen <jgoerzen=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org>
To: bugtraq=o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@...lic.gmane.org
Cc: gopher=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org
Subject: FW: UMN Gopher 3.0.6 released


Recently, a security bug in UMN gopherd was reported to this list.  However,
the submitter of this bug made no effort to notify me (the maintainer of
this program) of the bug, either before or after the discovery of the bug. 
I heard about it some time later by a bugtraq reader that submitted a bug to
Debian.

UMN gopherd has been not-really-supported since the maturity of alternative
Gopher servers such as PyGopherd and Bucktooth.  With the realization that
better servers than gopherd exist today, that gopherd needs but is not
likely to receive a thorough security audit, that gopherd has been largely
stagnant since the advent of these newer servers, and that migration paths
are available, I have decided to depricate gopherd and remove it from the
Gopher distribution, effective immediately.

All users of gopherd are advised to immediately upgrade to PyGopherd,
available from http://quux.org/devel/gopher/pygopherd.  It is important to
note that all versions of gopherd currently deployed now have known security
holes.

Thanks to UMN for their pioneering work in gopherd.  It has lasted over 11
years and inspired whole new ways of using the Internet.

UMN gopher, the curses-based gopher client, will remain part of the
distribution.

----- Forwarded message from John Goerzen <jgoerzen=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org> -----

From: John Goerzen <jgoerzen=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org>
Date: Mon, 18 Aug 2003 13:46:39 -0500
Reply-To: gopher=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org
To: gopher=WrTMxSeDnuhg9hUCZPvPmw@...lic.gmane.org
Subject: [gopher] UMN Gopher 3.0.6 released

Hello,

I have made the release of Gopher 3.0.6.

The big change with this version is that UMN gopherd has been removed from
the distribution.  This change was made for the following reasons:

1. Many other capable servers exist.  PyGopherd specifically supports
   UMN in an often bug-compatible way, and no development effort has been
   expended on gopherd in quite some time.

2. Security problems continue to be found in the legacy gopherd code, and
   due to the development on more modern servers, nobody has the time to
   make a comprehensive security audit of gopherd.

3. New features are more easily added to other servers, and the gopherd
   codebase thus has languished since other servers have appeared.

UMN Gopher, the Gopher client, continues to be part of the distribution.

The last version of Gopher containing gopherd is preserved on the Gopher
site at http://quux.org/devel/gopher/Downloads/old as well as the Subversion
repository.  Anyone interested in maintaining gopherd may contact me, and I
would be happy to help you fork it.

I am designating PyGopherd as the upgrade path for current users of gopherd.
There are other quality Gopher servers out there; the reason I say this is
because PyGopherd has the most complete support for UMN-style .Links, .cap,
etc. files.  PyGopherd may be obtained from
http://quux.org/devel/gopher/pygopherd.

***
*** All versions of UMN gopherd currently deployed have known security bugs
*** and users are advised to switch to PyGopherd ASAP.
***

Gopher 3.0.6 may be obtained from http://quux.org/devel/gopher.

-- John


----- End forwarded message -----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ