[Pkg-sql-ledger-commit] r148 - trunk/debian

pkg-sql-ledger-commit-owner at lists.alioth.debian.org pkg-sql-ledger-commit-owner at lists.alioth.debian.org
Thu Mar 1 15:44:41 CET 2007 

Author: hertzog
Date: 2007-03-01 15:44:41 +0100 (Thu, 01 Mar 2007)
New Revision: 148

Modified:
   trunk/debian/NEWS
   trunk/debian/README.Debian
   trunk/debian/changelog
Log:
Add warning about security.


Modified: trunk/debian/NEWS
===================================================================
--- trunk/debian/NEWS	2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/NEWS	2007-03-01 14:44:41 UTC (rev 148)
@@ -1,3 +1,10 @@
+sql-ledger (2.6.22-2) unstable; urgency=low
+
+  SQL-Ledger is not safe to use in public installations or in installations
+  with unstrusted users. Please check the README.Debian file for more details.
+
+ -- Raphael Hertzog <hertzog at debian.org>  Thu,  1 Mar 2007 15:32:10 +0100
+
 sql-ledger (2.6.6-2) unstable; urgency=low
 
   SQL-Ledger is now installed in /usr/share/sql-ledger instead of

Modified: trunk/debian/README.Debian
===================================================================
--- trunk/debian/README.Debian	2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/README.Debian	2007-03-01 14:44:41 UTC (rev 148)
@@ -1,6 +1,28 @@
 sql-ledger for Debian
 ---------------------
 
+IMPORTANT SECURITY NOTICE
+-------------------------
+SQL-Ledger is known to have many vulnerabilities that are exploitable by
+someone who has a user account on this web application. That's why you
+should *only* use that application if you trust the users that have access
+to it.
+
+Historically it also had some vulnerabilities that could be exploited even
+without having an account. So we advise to you to put this web
+application in an authenticated HTTP zone.
+
+Summary: SQL-Ledger is not suitable for public installations or for
+installations with untrusted users.
+
+Some pointers:
+http://bugs.debian.org/409703
+http://www.securityfocus.com/archive/1/459264
+http://www.securityfocus.com/archive/1/445817
+
+CONFIGURATION INFORMATION
+-------------------------
+
 To test this package you need to add this line to you
 /etc/apache/httpd.conf:
  include /etc/sql-ledger/sql-ledger-httpd.conf

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/changelog	2007-03-01 14:44:41 UTC (rev 148)
@@ -1,3 +1,10 @@
+sql-ledger (2.6.22-2) unstable; urgency=high
+
+  * Document the security problem of SQL-Ledger in the README.Debian file
+    (and in NEWS). Closes: #409703
+
+ -- Raphael Hertzog <hertzog at debian.org>  Thu,  1 Mar 2007 15:34:36 +0100
+
 sql-ledger (2.6.22-1) unstable; urgency=high
 
   * New upstream release that only adds one bugfix where the user can loose

More information about the Pkg-sql-ledger-commit mailing list