Forum OpenACS Q&A: Security Measures -- Details

Collapse
Posted by MaineBob OConnor on

Currently we are not using SSH security on our development system.

** Yes, I know we 'should' and we 'must'! **

In other words, we are using Telnet with without SSH. Can someone describe the steps necessary to get SSH working and recommend good tools to use. This would include a telnet client that works under Windoz. All access to our server will be done remotely via the internet. Open source and inexpensive solutions are preferred. What about security and FTP access to this server?

A second area that needs addressing: We are using OpenAcs 3.2.2. Two July 4th patches delt with some security issues...

Are there other security issues to be fixed and released with 3.2.4? Can anyone address this and give a new release date estimate. The July 4th security note on the openacs home page still says:

    We will be releasing OpenACS 3.2.4 before the end of the week. OpenACS 3.2.4 will fix all known security problems.

Can anyone shed more light on this or is this a "don't ask -- don't tell" situation? 😊 -Bob
Collapse
Posted by Ben Adida on
Yes, I can shed some light on this: I've been busy going through every Tcl file in OpenACS and adding security checks everywhere. It's taken a while, and there's a little bit left to do, but it's almost there. We're talking about a very different level of security between 3.2.2 and 3.2.4.

However, changing every Tcl file means I need massive help. In general, the only bugs potentially introduced involve verifying an argument to a page that is optional, thus causing an error. Get the latest CVS and help test, please!! Hopefully OpenACS 3.2.4 will be ready by end of week.

Collapse
3: Where is CVS for OpenACS (response to 1)
Posted by Connie Hentosh on
Okay, Silly question.  Where is the CVS for this?  (Anyone find a good way to do a search on www.openacs.org?)
Collapse
Posted by Dan Wickstrom on
Go to http:sourceforge.net/project/?group_id=490 and select the link for cvs repository.

Search is not currently implemented