1. 08 Oct, 2016 1 commit
  2. 05 Oct, 2016 1 commit
  3. 28 Sep, 2016 2 commits
  4. 27 Sep, 2016 1 commit
  5. 23 Sep, 2016 6 commits
  6. 19 Sep, 2016 1 commit
  7. 18 Sep, 2016 1 commit
  8. 16 Sep, 2016 1 commit
  9. 15 Sep, 2016 1 commit
  10. 24 Aug, 2016 1 commit
  11. 22 Aug, 2016 1 commit
  12. 20 Aug, 2016 3 commits
    • Joshua Tauberer's avatar
      merge v0.19b hot fix release · 27b4edfc
      Joshua Tauberer authored
      27b4edfc
    • Joshua Tauberer's avatar
      v0.19b · ba75ff78
      Joshua Tauberer authored
      ba75ff78
    • Joshua Tauberer's avatar
      simplify how munin-cgi-graph is called to reduce the attack surface area · a14b1779
      Joshua Tauberer authored
      Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
      
      Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
      
      The vulnerability was created by 6d6f3ea3.
      
      See #914.
      
      This is the v0.19b hotfix commit.
      a14b1779
  13. 19 Aug, 2016 1 commit
    • Joshua Tauberer's avatar
      simplify how munin-cgi-graph is called to reduce the attack surface area · 35a360ef
      Joshua Tauberer authored
      Seems like if REQUEST_METHOD is set to GET, then we can drop two redundant ways the query string is given. munin-cgi-graph itself reads the environment variables only, but its calls to Perl's CGI::param will look at the command line if REQUEST_METHOD is not used, otherwise it uses environment variables like CGI used to work.
      
      Since this is all behind admin auth anyway, there isn't a public vulnerability. #914 was opened without comment which lead me to notice the redundancy and worry about a vulnerability, before I realized this is admin-only anyway.
      35a360ef
  14. 18 Aug, 2016 3 commits
  15. 16 Aug, 2016 2 commits
  16. 15 Aug, 2016 2 commits
  17. 13 Aug, 2016 2 commits
  18. 08 Aug, 2016 6 commits
  19. 01 Aug, 2016 1 commit
    • Joshua Tauberer's avatar
      add SRV records for CardDAV/CalDAV · cf3e1cd5
      Joshua Tauberer authored
      DavDroid's latest version's account configuration no longer just asked for a hostname. Its email address & password configuration mode did not work without a SRV record.
      cf3e1cd5
  20. 29 Jul, 2016 3 commits