At 12:26 PM 10/11/2013 -0700, Galen Charlton wrote:
On Thu, Oct 10, 2013 at 3:17 AM, Marcel de Rooy <<mailto:M.de.Rooy@rijksmuseum.nl>M.de.Rooy@rijksmuseum.nl> wrote: I have been looking for these patches on Bugzilla, but I cannot find them. [snip] The patches lack a bug number because of a chicken-and-egg problem, as the bug couldn't be posted before the patches and the release announcement were. These patches have a nasty side-effect. If you use an older Koha version and also current master on the same system for testing, the old Koha version will stumble over this (shared) cookie: [snip] An alternative configuration which may better suit your needs is to use name-based virtual hosts rather than port-based ones, which will perforce ensure that the two versions don't share cookies. [snip] Considering that the security release was made at the end of July, was targeted at supported *and* unsupported versions, and was heavily publicized, there is already a fair amount of negative data
"Name based" v. "port based", "Nasty side effects" and "negative data" raise flags with me. I've just looked up bug 10657 which either blind-sides me with science or baffles me with bull. "Storable" and references to "checked for JSON-correctness and is ignored" are meaningless without context. If there really is a security aspect would someone please explain it? OFF-LIST if need be. Many thanks - Paul