[Secure-testing-team] Release sql-ledger as part of etch?
Florian Weimer
fw at deneb.enyo.de
Sat Mar 24 10:57:39 UTC 2007
Is it really a good idea to release this with etch, given excerpt from
the README.Debian file below? (Sorry if this has been discussed
before.)
IMPORTANT SECURITY NOTICE
-------------------------
SQL-Ledger is known to have many vulnerabilities that are exploitable by
someone who has a user account on this web application. That's why you
should *only* use that application if you trust the users that have access
to it.
Historically it also had some vulnerabilities that could be exploited even
without having an account. So we advise to you to put this web
application in an authenticated HTTP zone.
Summary: SQL-Ledger is not suitable for public installations or for
installations with untrusted users.
Some pointers:
http://bugs.debian.org/409703
http://www.securityfocus.com/archive/1/459264
http://www.securityfocus.com/archive/1/445817
More information about the Secure-testing-team
mailing list