[Samba] PROPOSAL: Remove SWAT in Samba 4.1
rs at sys4.de
Wed Feb 20 02:28:03 MST 2013
Am 18.02.2013 01:02, schrieb Andrew Bartlett:
> As most of you would have noticed, we have now had 3 CVE-nominated
> security issues for SWAT in the past couple of years.
> At the same time, while I know many of our users use SWAT, we just don't
> have anybody to maintain it inside the Samba Team. Kai has made a
> valiant effort to at least apply the XSS and CSRF guidelines when folks
> make security reports, but by his own admission he isn't a web developer
> - none of us are!
> There are many other parts of Samba that have not been substantially
> maintained in years, but few have the level of security exposure that
> SWAT does (most are bits of library and utility code that we apply
> elsewhere, but which just quietly does it's own job).
> The issue isn't that we can't write secure code, but that writing secure
> Web code where we can't trust the authenticated actions of our user's
> browser is a very different modal to writing secure system code.
> Frankly it just isn't our area.
> Therefore, it was suggested on a private list that we just drop SWAT. I
> want to start a public discussion on that point, prompted by
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us
> why we didn't apply the specific CSRF hardening we applied in 4.0.2 to
> SWAT in the first place.
> Andrew Bartlett
Hi Andrew , i am not up2date with current
samba module in webmin, but however, what about remove swat,
and help webmin people for coding stuff there, so samba people
dont need to care about the webmin framework security, only i.e helping
at integrate new or changed parameters in the samba webmin module.
MfG Robert Schetterer
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
More information about the samba