[Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger:
Security vulnerability CVE-2006-4244
Raphael Hertzog
hertzog at debian.org
Mon Sep 11 13:08:41 UTC 2006
Hi,
On Mon, 11 Sep 2006, Finn-Arne Johansen wrote:
> > I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old
> > 2.4.7-2 and it applied immediately. However I haven't had the time to test
> > if the package upgrades fine and if it still works well.
>
> The upgrade did work ok, but I failed to see how it should fix the bug.
> BUt I haven't had time to look closely at it.
>
> I still have the same cookie, that tells when I logged in, the user-name
> i used to log in with.
>
> > I'd like other people from pkg-sql-ledger-discussion at l.a.d.o to help out
> > with the testing. Can people confirm that the updated package works fine?
>
> It works, but I fail to see how it fixes the bug.
The upstream author said:
| This upgrade fixes a bug discovered with the sessionid.
|
| The new procedure is now without a visible sessionid but the login and
| password is compared. The cookie for the browser contains a scrambled
| string of the login, password and a time value. This scrambled string
| which is only visible to the browser is then assembled with the key stored
| in the user's config file. In order for someone to crack the code you need
| to have the cookie from the browser, which you can only get if someone
| eavesdrops, and you also need the key from the user.
|
| The session will also time out regardless if there is activity or not. So,
| if you have the timeout value set to 3600 you will have to enter your
| password every hour. I'll take another look at this if I can extend the
| session if there is activity. The way it is right now a new key is
| generated when a user enters a password.
I haven't checked the logic of Dieter's patch but I haven't seen any
complaint on the mailing list either.
<digress>
I'm quite unhappy with how this security incident has been handled by
Dieter as he was aware of the problem for several months!
Thus, we should seriously consider packaging ledger-smb (the new fork
of sql-ledger) for the future (and maybe drop sql-ledger if the fork
stays alive).
</digress>
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
More information about the Pkg-sql-ledger-discussion
mailing list