On Fri, 08 Sep 2006, Chris Morris wrote: > Package: sql-ledger > Severity: grave > Tags: security > Justification: user security hole > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 > Recently fully disclosed at > http://www.securityfocus.com/archive/1/445512/30/0/threaded > > Looking at the source of menu.pl it appears to work exactly as Chris > Travers describes it. > > Apparently all versions from 2.4.4 onwards are affected, which includes > the version in sarge.
I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue. For sarge, I created 2.4.7-2sarge1 and I uploaded it here: http://people.debian.org/~hertzog/sql-ledger/ It's a full (signed) upload which can simply be uploaded to the security archive (dist="stable-security" as per devel ref 5.8.5.3). The patch used is here: http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old 2.4.7-2 and it applied immediately. However I haven't had the time to test if the package upgrades fine and if it still works well. I'd like other people from [EMAIL PROTECTED] to help out with the testing. Can people confirm that the updated package works fine? Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/