[Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security
vulnerability CVE-2006-4244
Finn-Arne Johansen
faj at bzz.no
Mon Sep 11 09:53:19 UTC 2006
Raphael Hertzog skrev:
> On Fri, 08 Sep 2006, Chris Morris wrote:
>> Package: sql-ledger
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244
>> Recently fully disclosed at
>> http://www.securityfocus.com/archive/1/445512/30/0/threaded
>>
>> Looking at the source of menu.pl it appears to work exactly as Chris
>> Travers describes it.
>>
>> Apparently all versions from 2.4.4 onwards are affected, which includes
>> the version in sarge.
>
> I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue.
> For sarge, I created 2.4.7-2sarge1 and I uploaded it here:
> http://people.debian.org/~hertzog/sql-ledger/
>
> It's a full (signed) upload which can simply be uploaded to the security
> archive (dist="stable-security" as per devel ref 5.8.5.3).
>
> The patch used is here:
> http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch
>
> I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
> 2.4.7-2 and it applied immediately. However I haven't had the time to test
> if the package upgrades fine and if it still works well.
The upgrade did work ok, but I failed to see how it should fix the bug.
BUt I haven't had time to look closely at it.
I still have the same cookie, that tells when I logged in, the user-name
i used to log in with.
> I'd like other people from pkg-sql-ledger-discussion at l.a.d.o to help out
> with the testing. Can people confirm that the updated package works fine?
It works, but I fail to see how it fixes the bug.
--
Finn-Arne Johansen
faj at bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
More information about the Pkg-sql-ledger-discussion
mailing list