[Secure-testing-team] Release sql-ledger as part of etch?
Moritz Muehlenhoff
jmm at inutil.org
Sun Mar 25 22:45:01 UTC 2007
Florian Weimer wrote:
> Is it really a good idea to release this with etch, given excerpt from
> the README.Debian file below? (Sorry if this has been discussed
> before.)
>
> IMPORTANT SECURITY NOTICE
> -------------------------
> SQL-Ledger is known to have many vulnerabilities that are exploitable by
> someone who has a user account on this web application. That's why you
> should *only* use that application if you trust the users that have access
> to it.
>
> Historically it also had some vulnerabilities that could be exploited even
> without having an account. So we advise to you to put this web
> application in an authenticated HTTP zone.
>
> Summary: SQL-Ledger is not suitable for public installations or for
> installations with untrusted users.
I recommended to add such a note, the alternative would have been to remove
it altogether.
Given the nature of the program it seems likely that there are still useful
fields of application.
BTW, for discussions not directly related to the Security Tracker we should
rather use debian-security at ldo.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list