[Secure-testing-team] sql-ledger issues
Nico Golde
debian-secure-testing+ml at ngolde.de
Fri Oct 12 14:53:16 UTC 2007
Hi,
sql-ledger just has another CVE[0]. Looking at the reports of
the security issue and the discussion[1] in the BTS to me it
is not really clear why documenting that this package is not
supported by the security team is an option but removing it
not. There are really alot of sql injection bugs in
sql-ledger, there is a fork[2] where engaged people fix such
stuff and there are 66 installations referring to popcon.
So why not just removing this software and file an RFP for
ledgersmb?
I agree that writing this in the sql-ledger documentation
would be better like the current state but people tend to
don't read documentation (or package tags) and this does not
make the code itself more secure.
Kind regards
Nico
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446366
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409703
[2] http://www.ledgersmb.org/
--
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071012/d3474609/attachment.pgp
More information about the Secure-testing-team
mailing list