SliTaz Bugs
The historical bug tracker that ran here (tazbug, a small shell/CGI application) has been retired during the server migration. It was little used and is no longer maintained.
Why it was retired
Beyond being little used, a security review of the old shell/CGI code turned up serious vulnerabilities that make it unsafe to keep online. For transparency, some examples:
- Remote code execution — user-submitted content was stored in config files that the CGI later sourced as shell, so a crafted message could run arbitrary commands.
- Path traversal — unfiltered
id/userparameters allowed reading or sourcing files outside the intended directory. - Arbitrary file deletion — an unfiltered delete parameter could remove unintended files.
- No CSRF protection — every state change happened over a plain GET link with no token.
- Reflected XSS and weak authentication (MD5 hashing, guessable session tokens).
The future of bug tracking for SliTaz is open for the developers to decide. Should we keep a dedicated tracker, use the forum, or adopt another tool? Your input is welcome.
In the meantime, please report issues and join the discussion on the SliTaz forum. To get involved in development, head to the SliTaz forge or reach the SliTaz Core development group.
SliTaz Bugs