[Pkg-sql-ledger-commit] r148 - trunk/debian
pkg-sql-ledger-commit-owner at lists.alioth.debian.org
pkg-sql-ledger-commit-owner at lists.alioth.debian.org
Thu Mar 1 15:44:41 CET 2007
Author: hertzog
Date: 2007-03-01 15:44:41 +0100 (Thu, 01 Mar 2007)
New Revision: 148
Modified:
trunk/debian/NEWS
trunk/debian/README.Debian
trunk/debian/changelog
Log:
Add warning about security.
Modified: trunk/debian/NEWS
===================================================================
--- trunk/debian/NEWS 2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/NEWS 2007-03-01 14:44:41 UTC (rev 148)
@@ -1,3 +1,10 @@
+sql-ledger (2.6.22-2) unstable; urgency=low
+
+ SQL-Ledger is not safe to use in public installations or in installations
+ with unstrusted users. Please check the README.Debian file for more details.
+
+ -- Raphael Hertzog <hertzog at debian.org> Thu, 1 Mar 2007 15:32:10 +0100
+
sql-ledger (2.6.6-2) unstable; urgency=low
SQL-Ledger is now installed in /usr/share/sql-ledger instead of
Modified: trunk/debian/README.Debian
===================================================================
--- trunk/debian/README.Debian 2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/README.Debian 2007-03-01 14:44:41 UTC (rev 148)
@@ -1,6 +1,28 @@
sql-ledger for Debian
---------------------
+IMPORTANT SECURITY NOTICE
+-------------------------
+SQL-Ledger is known to have many vulnerabilities that are exploitable by
+someone who has a user account on this web application. That's why you
+should *only* use that application if you trust the users that have access
+to it.
+
+Historically it also had some vulnerabilities that could be exploited even
+without having an account. So we advise to you to put this web
+application in an authenticated HTTP zone.
+
+Summary: SQL-Ledger is not suitable for public installations or for
+installations with untrusted users.
+
+Some pointers:
+http://bugs.debian.org/409703
+http://www.securityfocus.com/archive/1/459264
+http://www.securityfocus.com/archive/1/445817
+
+CONFIGURATION INFORMATION
+-------------------------
+
To test this package you need to add this line to you
/etc/apache/httpd.conf:
include /etc/sql-ledger/sql-ledger-httpd.conf
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2007-01-15 18:42:54 UTC (rev 147)
+++ trunk/debian/changelog 2007-03-01 14:44:41 UTC (rev 148)
@@ -1,3 +1,10 @@
+sql-ledger (2.6.22-2) unstable; urgency=high
+
+ * Document the security problem of SQL-Ledger in the README.Debian file
+ (and in NEWS). Closes: #409703
+
+ -- Raphael Hertzog <hertzog at debian.org> Thu, 1 Mar 2007 15:34:36 +0100
+
sql-ledger (2.6.22-1) unstable; urgency=high
* New upstream release that only adds one bugfix where the user can loose
More information about the Pkg-sql-ledger-commit
mailing list