Received: with ECARTIS (v1.0.0; list gopher); Mon, 18 Aug 2003 13:57:26 -0500 (CDT) Return-Path: X-Original-To: gopher@complete.org Delivered-To: gopher@complete.org Received: by gesundheit.complete.org (Postfix, from userid 108) id 7E8181832048; Mon, 18 Aug 2003 13:57:25 -0500 (CDT) X-Scanned-By: clamscan at complete.org Received: from heinrich.complete.org (gatekeeper.excelhustler.com [68.99.114.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "christoph.complete.org", Issuer "John Goerzen -- Root CA" (verified OK)) by gesundheit.complete.org (Postfix) with ESMTP id 639981832033; Mon, 18 Aug 2003 13:57:22 -0500 (CDT) Received: by heinrich.complete.org (Postfix, from userid 1000) id 898A115D; Mon, 18 Aug 2003 13:57:00 -0500 (CDT) Date: Mon, 18 Aug 2003 13:57:00 -0500 From: John Goerzen To: bugtraq@securityfocus.com Cc: gopher@complete.org Subject: [gopher] FW: UMN Gopher 3.0.6 released Message-ID: <20030818185700.GA798@complete.org> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Content-Transfer-Encoding: 8bit X-archive-position: 789 X-ecartis-version: Ecartis v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: jgoerzen@complete.org Precedence: bulk Reply-to: gopher@complete.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: Gopher X-List-ID: Gopher List-subscribe: List-owner: List-post: List-archive: X-list: gopher Recently, a security bug in UMN gopherd was reported to this list. However, the submitter of this bug made no effort to notify me (the maintainer of this program) of the bug, either before or after the discovery of the bug. I heard about it some time later by a bugtraq reader that submitted a bug to Debian. UMN gopherd has been not-really-supported since the maturity of alternative Gopher servers such as PyGopherd and Bucktooth. With the realization that better servers than gopherd exist today, that gopherd needs but is not likely to receive a thorough security audit, that gopherd has been largely stagnant since the advent of these newer servers, and that migration paths are available, I have decided to depricate gopherd and remove it from the Gopher distribution, effective immediately. All users of gopherd are advised to immediately upgrade to PyGopherd, available from http://quux.org/devel/gopher/pygopherd. It is important to note that all versions of gopherd currently deployed now have known security holes. Thanks to UMN for their pioneering work in gopherd. It has lasted over 11 years and inspired whole new ways of using the Internet. UMN gopher, the curses-based gopher client, will remain part of the distribution. ----- Forwarded message from John Goerzen ----- From: John Goerzen Date: Mon, 18 Aug 2003 13:46:39 -0500 Reply-To: gopher@complete.org To: gopher@complete.org Subject: [gopher] UMN Gopher 3.0.6 released Hello, I have made the release of Gopher 3.0.6. The big change with this version is that UMN gopherd has been removed from the distribution. This change was made for the following reasons: 1. Many other capable servers exist. PyGopherd specifically supports UMN in an often bug-compatible way, and no development effort has been expended on gopherd in quite some time. 2. Security problems continue to be found in the legacy gopherd code, and due to the development on more modern servers, nobody has the time to make a comprehensive security audit of gopherd. 3. New features are more easily added to other servers, and the gopherd codebase thus has languished since other servers have appeared. UMN Gopher, the Gopher client, continues to be part of the distribution. The last version of Gopher containing gopherd is preserved on the Gopher site at http://quux.org/devel/gopher/Downloads/old as well as the Subversion repository. Anyone interested in maintaining gopherd may contact me, and I would be happy to help you fork it. I am designating PyGopherd as the upgrade path for current users of gopherd. There are other quality Gopher servers out there; the reason I say this is because PyGopherd has the most complete support for UMN-style .Links, .cap, etc. files. PyGopherd may be obtained from http://quux.org/devel/gopher/pygopherd. *** *** All versions of UMN gopherd currently deployed have known security bugs *** and users are advised to switch to PyGopherd ASAP. *** Gopher 3.0.6 may be obtained from http://quux.org/devel/gopher. -- John ----- End forwarded message -----