Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

Finn-Arne Johansen faj at bzz.no
Tue Sep 12 11:21:50 UTC 2006


Raphael Hertzog skrev:
> On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
>> Dieter Simader skrev:
>>> The sessionid is still there but not used anymore.
>>>
>>> If you need more info let me know.
>> OK, as said - I've tested that the new package installs ok, but I have
>> not found the time to check how the bug is fixed.
>>
>> Since I'm under a rather heavy workload now, I doubt that I can make the
>> time to verify anything else than that the upgrade went ok.
> 
> Same for me. I'm rather busy lately and I prepared this patch because it's
> a security issue but I do not have time to test the old security-patched
> package.
> 
> I have no reason to believe that it would cause major pains however.
> Petter, maybe you have some time to test the sarge update?
> 
>> If Raphael understands the patch, I suggest it's uploaded to the
>> security mirror, and that a DSA is released.
> 
> Indeed, but I just generated a new version of that update since a second
> security issue has been fixed in 2.6.19 (a directory traversal bug). I
> also applied applied the fix for the "new window" function which broke due
> to the change in the session id handling. 

How did that break ?

I'm using 2.4.7-2sarge1, and the "new window" function works as far as I
can see.

So if "new window" should fail to work because of the patch, the patch
is not working, since "new window" works for me. I seldom use that
function, I rather right-click and selects "open in new TAB"

> Please checkout the updated package (and patch) at:
> http://people.debian.org/~hertzog/sql-ledger/

well, I do run the same version, but I guess you built a new version
with the same version number.

Here is the entry from the changelog on the version I'm using:
sql-ledger (2.4.7-2sarge1) stable-security; urgency=high

  * Security upload.
  * Fix bad handling of sessionid: CVE-2006-4244
    Closes: #386519

 -- Raphael Hertzog <hertzog at debian.org>  Sun, 10 Sep 2006 21:56:34+0200


-- 
Finn-Arne Johansen
faj at bzz.no http://bzz.no/
Debian-edu developer and Solution provider
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642




More information about the Pkg-sql-ledger-discussion mailing list