[Koha-bugs] [Bug 23914] Hea - share the DBMS (name and version)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Apr 27 13:17:03 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23914
--- Comment #13 from Victor Grousset/tuxayo <victor at tuxayo.net> ---
Indeed, if there is no trust on the Hea server, that's a way of sharing not
being up to date on the system level. (when that's the case) Which one might
not want by default.
On the other hand, isn't sharing the full version of Koha already more of a
potential security issue? It doesn't directly speak about the system.
But can a link be rightly guessed for a number of cases? By monitoring if the
Koha if evolving on a regular basis. I don't know how much of that makes
sense.[1] If there another more reliable way to link the two things?
And the version of Koha can directly tell if vulnerable to remote code
execution on an app listening to internet. As opposed to the DBMS.
[1] Hum, I don't think it does at least in my example. So that would be an
additional valuable fingerprinting information.
Is a solution to share only the major and minor version of DBMS and the name?
Like
- MariaDB 10.4
- MySQL 5.7
Then no issues to do it by default right?
Hum, that can still be an issue when the version is not maintained anymore
since a long time. Are these remaining cases relevant? Is Koha even updated at
all on those systems?
To have an idea of the time to have an unmaintained DBMS version:
https://en.wikipedia.org/wiki/MariaDB#Versioning
https://en.wikipedia.org/wiki/MySQL#Release_history
Actually, that just mean having Debian 8 or Ubuntu 16.04 which unfortunately
can still be the case with a regularly updated Koha. I know for sure 18.11
still work on those OSes. After, I'm not sure if Perl or DBMS version allow
Koha > 18.11 to work.
Argh, that a complex topic!!! >_<
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list