[Secure-testing-team] Release sql-ledger as part of etch?

Alec Berryman alec at thened.net
Sat Mar 24 17:07:15 UTC 2007


Florian Weimer on 2007-03-24 10:57:39 +0100:

> Is it really a good idea to release this with etch, given excerpt from
> the README.Debian file below?  (Sorry if this has been discussed
> before.)
>
> IMPORTANT SECURITY NOTICE
> -------------------------
> SQL-Ledger is known to have many vulnerabilities that are exploitable by
> someone who has a user account on this web application. That's why you
> should *only* use that application if you trust the users that have access
> to it.
>
> Historically it also had some vulnerabilities that could be exploited even
> without having an account. So we advise to you to put this web
> application in an authenticated HTTP zone.

debian/postinst unconditionally enables the application in apache (only
apache, not apache2), but does not restart the web server to make it
available.  If it's a security risk and should only be run in an
authenticated HTTP zone as the maintainer suggests, perhaps it should
not be enabled by default.



More information about the Secure-testing-team mailing list