Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519:
sql-ledger: Security vulnerability CVE-2006-4244
Raphael Hertzog
hertzog at debian.org
Tue Sep 12 09:34:06 UTC 2006
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
> Dieter Simader skrev:
> > The sessionid is still there but not used anymore.
> >
> > If you need more info let me know.
>
> OK, as said - I've tested that the new package installs ok, but I have
> not found the time to check how the bug is fixed.
>
> Since I'm under a rather heavy workload now, I doubt that I can make the
> time to verify anything else than that the upgrade went ok.
Same for me. I'm rather busy lately and I prepared this patch because it's
a security issue but I do not have time to test the old security-patched
package.
I have no reason to believe that it would cause major pains however.
Petter, maybe you have some time to test the sarge update?
> If Raphael understands the patch, I suggest it's uploaded to the
> security mirror, and that a DSA is released.
Indeed, but I just generated a new version of that update since a second
security issue has been fixed in 2.6.19 (a directory traversal bug). I
also applied applied the fix for the "new window" function which broke due
to the change in the session id handling.
Please checkout the updated package (and patch) at:
http://people.debian.org/~hertzog/sql-ledger/
As soon as Petter (or anyone else) confirm that the package is OK, we
should upload to the security mirror and release a DSA.
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
More information about the Pkg-sql-ledger-discussion
mailing list