Re: XCode 3.1 is out.
Re: XCode 3.1 is out.
- Subject: Re: XCode 3.1 is out.
- From: Miguel Arroz <email@hidden>
- Date: Sun, 13 Jul 2008 11:36:23 +0100
Hi!
OK, that explains why I didn't understand it, I'm still on
5.3.*. :) Thanks.
Yours
Miguel Arroz
On 2008/07/13, at 09:24, Johann Werner wrote:
Am 13.07.2008 um 01:37 schrieb Miguel Arroz:
Hi!
Yap. From the Apple security announcements mail-list:
WebObjects
CVE-ID: CVE-2008-2318
Available for: Mac OS X v10.5.x
Impact: WebObjects session IDs may be disclosed to other web sites
Description: WebObjects contains an API to generate URLs in HTML
documents via the WOHyperlink dynamic element. When WOHyperlink is
used, it always appends a session ID to the generated URL, even for
absolute URLs. Using WOHyperlink to create URLs that point at other
web sites may result in the disclosure of the current user's session
ID to those sites. This update addresses the issue by appending
session IDs to absolute URLs only when explicitly requested.
I'm still trying to understand this, specially what do they mean by
"even for absolute URLs".
It means that even if you use a WOHyperlink with a href binding with
a static string to e.g. an external site it would append the session
id to that url automatically. With WO 5.3 it did so only if you
added an extra binding ?wosid=true but with WO 5.4 / 5.4.1 it is the
other way round.
jw
Yours
Miguel Arroz
On 2008/07/13, at 00:29, Joe Little wrote:
apparently, there was a security issue in there resolved by this
release. Likely:
5657595 WOHyperlink generates WOSID's on absolute URLs
see http://www.macnn.com/articles/08/07/12/apple.xcode.tools.31/
On Fri, Jul 11, 2008 at 6:09 PM, Pascal Robert <email@hidden>
wrote:
And WO 5.4.2 release notes :
http://support.apple.com/kb/HT1979
Available at the usual place.
https://connect.apple.com
--
Seeya...Q
Quinton Dolan - email@hidden
Gold Coast, QLD, Australia (GMT+10)
Ph: +61 419 729 806
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
-------------------------------------------------------
Pascal Robert
http://www.macti.ca
http://www.linkedin.com/in/macti
Skype: MacTICanada
AIM/iChat : MacTICanada
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
http://www.survs.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
http://www.survs.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden