At 12:26 PM 10/11/2013 -0700, Galen Charlton wrote:
On Thu, Oct 10, 2013 at 3:17 AM,
Marcel de Rooy
<M.de.Rooy@rijksmuseum.nl>
wrote:
- I have been looking for these patches on Bugzilla, but I cannot find
them.
[snip]
- The patches lack a bug number because of a chicken-and-egg problem,
as the bug couldn't be posted before the patches and the release
announcement were.
- These patches have a nasty side-effect. If you use an older Koha
version and also current master on the same system for testing, the old
Koha version will stumble over this (shared) cookie:
[snip]
An alternative configuration which
may better suit your needs is to use name-based virtual hosts rather than
port-based ones, which will perforce ensure that the two versions don't
share cookies.
[snip]
Considering that the security
release was made at the end of July, was targeted at supported *and*
unsupported versions, and was heavily publicized, there is already a fair
amount of negative data
"Name based" v. "port based", "Nasty side
effects" and "negative data" raise flags with me. I've
just looked up bug 10657 which either blind-sides me with science or
baffles me with bull. "Storable" and references to
"checked for JSON-correctness and is ignored" are
meaningless without context.
If there really is a security aspect would someone please explain
it?
OFF-LIST if need be.
Many thanks - Paul