Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519:
sql-ledger: Security vulnerability CVE-2006-4244
Raphael Hertzog
hertzog at debian.org
Tue Sep 12 12:54:14 UTC 2006
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
> > Indeed, but I just generated a new version of that update since a second
> > security issue has been fixed in 2.6.19 (a directory traversal bug). I
> > also applied applied the fix for the "new window" function which broke due
> > to the change in the session id handling.
>
> How did that break ?
I don't have time to investigate the details, I expected it to be related
to a second login generating a new cookie and thus invalidating the one
used by the first window.
> I'm using 2.4.7-2sarge1, and the "new window" function works as far as I
> can see.
>
> So if "new window" should fail to work because of the patch, the patch
> is not working, since "new window" works for me. I seldom use that
> function, I rather right-click and selects "open in new TAB"
I don't know really. Dieter, any comment?
> > Please checkout the updated package (and patch) at:
> > http://people.debian.org/~hertzog/sql-ledger/
>
> well, I do run the same version, but I guess you built a new version
> with the same version number.
Yes, I rebuilt it with the same version number.
> * Security upload.
> * Fix bad handling of sessionid: CVE-2006-4244
> Closes: #386519
I've added this:
* Fix directory traversal security issues (backported from 2.6.19)
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
More information about the Pkg-sql-ledger-discussion
mailing list