[Secure-testing-team] Release sql-ledger as part of etch?
Alec Berryman
alec at thened.net
Sat Mar 24 17:07:15 UTC 2007
Florian Weimer on 2007-03-24 10:57:39 +0100:
> Is it really a good idea to release this with etch, given excerpt from
> the README.Debian file below? (Sorry if this has been discussed
> before.)
>
> IMPORTANT SECURITY NOTICE
> -------------------------
> SQL-Ledger is known to have many vulnerabilities that are exploitable by
> someone who has a user account on this web application. That's why you
> should *only* use that application if you trust the users that have access
> to it.
>
> Historically it also had some vulnerabilities that could be exploited even
> without having an account. So we advise to you to put this web
> application in an authenticated HTTP zone.
debian/postinst unconditionally enables the application in apache (only
apache, not apache2), but does not restart the web server to make it
available. If it's a security risk and should only be run in an
authenticated HTTP zone as the maintainer suggests, perhaps it should
not be enabled by default.
More information about the Secure-testing-team
mailing list