[Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security
vulnerability CVE-2006-4244
Raphael Hertzog
hertzog at debian.org
Sun Sep 10 20:20:49 UTC 2006
On Fri, 08 Sep 2006, Chris Morris wrote:
> Package: sql-ledger
> Severity: grave
> Tags: security
> Justification: user security hole
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244
> Recently fully disclosed at
> http://www.securityfocus.com/archive/1/445512/30/0/threaded
>
> Looking at the source of menu.pl it appears to work exactly as Chris
> Travers describes it.
>
> Apparently all versions from 2.4.4 onwards are affected, which includes
> the version in sarge.
I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue.
For sarge, I created 2.4.7-2sarge1 and I uploaded it here:
http://people.debian.org/~hertzog/sql-ledger/
It's a full (signed) upload which can simply be uploaded to the security
archive (dist="stable-security" as per devel ref 5.8.5.3).
The patch used is here:
http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch
I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
2.4.7-2 and it applied immediately. However I haven't had the time to test
if the package upgrades fine and if it still works well.
I'd like other people from pkg-sql-ledger-discussion at l.a.d.o to help out
with the testing. Can people confirm that the updated package works fine?
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
More information about the Pkg-sql-ledger-discussion
mailing list