Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

Raphael Hertzog hertzog at debian.org
Tue Sep 12 12:54:14 UTC 2006

On Tue, 12 Sep 2006, Finn-Arne Johansen wrote:
> > Indeed, but I just generated a new version of that update since a second
> > security issue has been fixed in 2.6.19 (a directory traversal bug). I
> > also applied applied the fix for the "new window" function which broke due
> > to the change in the session id handling. 
> How did that break ?

I don't have time to investigate the details, I expected it to be related
to a second login generating a new cookie and thus invalidating the one
used by the first window.

> I'm using 2.4.7-2sarge1, and the "new window" function works as far as I
> can see.
> So if "new window" should fail to work because of the patch, the patch
> is not working, since "new window" works for me. I seldom use that
> function, I rather right-click and selects "open in new TAB"

I don't know really. Dieter, any comment?

> > Please checkout the updated package (and patch) at:
> > http://people.debian.org/~hertzog/sql-ledger/
> well, I do run the same version, but I guess you built a new version
> with the same version number.

Yes, I rebuilt it with the same version number.

>   * Security upload.
>   * Fix bad handling of sessionid: CVE-2006-4244
>     Closes: #386519

I've added this:
  * Fix directory traversal security issues (backported from 2.6.19)

Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :

More information about the Pkg-sql-ledger-discussion mailing list