Re: Exposed .git and server-status bugzilla.gnome.org

From: Andrea Veri <av gnome org>
To: Tobias Mueller <muelli cryptobitch de>
Cc: GNOME Infrastructure <gnome-infrastructure gnome org>, "security gnome org" <security gnome org>, Andre Klapper <ak-47 gmx net>
Subject: Re: Exposed .git and server-status bugzilla.gnome.org
Date: Tue, 28 Nov 2017 13:54:04 +0100

2017-11-28 0:44 GMT+01:00 Tobias Mueller <muelli cryptobitch de>:

hey hey.

We're exposing our bugzilla's git repository on http://bugzilla.gnome.or
g/.git/.  It has some of our commits which I don't think are
problematic, but may become so in the future.


The repository is public [1] already but I'm aware many security tools
report this as a problem so I went ahead and excluded the folder from
ever being accessible. [2]

Additionally, there is https://bugzilla.gnome.org//server-status/.
Again, I don't think it's inherently a bad thing, but we might dislike
showing off our version numbers in the future. Or the IP addresses of
our clients...


Done too. [2]

While we're at it, can we have TLS 1.2 for smtp.gnome.org?


The host that runs smtp.gnome.org requires upgrade to RHEL 7 for this
to happen. Surely a good thing to work on after my focus has gone off
from the cgit->Gitlab migration. Mind reminding that to me once that
has happened?


Thanks for your reports Tobi!

[1] https://git.gnome.org/browse/bugzilla-gnome-org-upstream
[2] https://infrastructure.gnome.org/browse/puppet/commit/?id=f13beb13ba96366f08ba5f86d766a8ed64c54ca7

-- 
Cheers,

Andrea

Red Hatter,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
Former GNOME Foundation Board of Directors Secretary,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av

References:
- Exposed .git and server-status bugzilla.gnome.org
  - From: Tobias Mueller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]