Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since I'm under a rather heavy workload now, I doubt that I can make the time to verify anything else than that the upgrade went ok. If Raphael understands the patch, I suggest it's uploaded to the security mirror, and that a DSA is released. -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ Debian-edu developer and Solution provider EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#386519: Re: Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since I'm under a rather heavy workload now, I doubt that I can make the time to verify anything else than that the upgrade went ok. Same for me. I'm rather busy lately and I prepared this patch because it's a security issue but I do not have time to test the old security-patched package. I have no reason to believe that it would cause major pains however. Petter, maybe you have some time to test the sarge update? If Raphael understands the patch, I suggest it's uploaded to the security mirror, and that a DSA is released. Indeed, but I just generated a new version of that update since a second security issue has been fixed in 2.6.19 (a directory traversal bug). I also applied applied the fix for the new window function which broke due to the change in the session id handling. Please checkout the updated package (and patch) at: http://people.debian.org/~hertzog/sql-ledger/ As soon as Petter (or anyone else) confirm that the package is OK, we should upload to the security mirror and release a DSA. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Raphael Hertzog skrev: On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since I'm under a rather heavy workload now, I doubt that I can make the time to verify anything else than that the upgrade went ok. Same for me. I'm rather busy lately and I prepared this patch because it's a security issue but I do not have time to test the old security-patched package. I have no reason to believe that it would cause major pains however. Petter, maybe you have some time to test the sarge update? If Raphael understands the patch, I suggest it's uploaded to the security mirror, and that a DSA is released. Indeed, but I just generated a new version of that update since a second security issue has been fixed in 2.6.19 (a directory traversal bug). I also applied applied the fix for the new window function which broke due to the change in the session id handling. How did that break ? I'm using 2.4.7-2sarge1, and the new window function works as far as I can see. So if new window should fail to work because of the patch, the patch is not working, since new window works for me. I seldom use that function, I rather right-click and selects open in new TAB Please checkout the updated package (and patch) at: http://people.debian.org/~hertzog/sql-ledger/ well, I do run the same version, but I guess you built a new version with the same version number. Here is the entry from the changelog on the version I'm using: sql-ledger (2.4.7-2sarge1) stable-security; urgency=high * Security upload. * Fix bad handling of sessionid: CVE-2006-4244 Closes: #386519 -- Raphael Hertzog [EMAIL PROTECTED] Sun, 10 Sep 2006 21:56:34+0200 -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ Debian-edu developer and Solution provider EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Indeed, but I just generated a new version of that update since a second security issue has been fixed in 2.6.19 (a directory traversal bug). I also applied applied the fix for the new window function which broke due to the change in the session id handling. How did that break ? I don't have time to investigate the details, I expected it to be related to a second login generating a new cookie and thus invalidating the one used by the first window. I'm using 2.4.7-2sarge1, and the new window function works as far as I can see. So if new window should fail to work because of the patch, the patch is not working, since new window works for me. I seldom use that function, I rather right-click and selects open in new TAB I don't know really. Dieter, any comment? Please checkout the updated package (and patch) at: http://people.debian.org/~hertzog/sql-ledger/ well, I do run the same version, but I guess you built a new version with the same version number. Yes, I rebuilt it with the same version number. * Security upload. * Fix bad handling of sessionid: CVE-2006-4244 Closes: #386519 I've added this: * Fix directory traversal security issues (backported from 2.6.19) Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Raphael Hertzog skrev: On Fri, 08 Sep 2006, Chris Morris wrote: Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at http://www.securityfocus.com/archive/1/445512/30/0/threaded Looking at the source of menu.pl it appears to work exactly as Chris Travers describes it. Apparently all versions from 2.4.4 onwards are affected, which includes the version in sarge. I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue. For sarge, I created 2.4.7-2sarge1 and I uploaded it here: http://people.debian.org/~hertzog/sql-ledger/ It's a full (signed) upload which can simply be uploaded to the security archive (dist=stable-security as per devel ref 5.8.5.3). The patch used is here: http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old 2.4.7-2 and it applied immediately. However I haven't had the time to test if the package upgrades fine and if it still works well. The upgrade did work ok, but I failed to see how it should fix the bug. BUt I haven't had time to look closely at it. I still have the same cookie, that tells when I logged in, the user-name i used to log in with. I'd like other people from [EMAIL PROTECTED] to help out with the testing. Can people confirm that the updated package works fine? It works, but I fail to see how it fixes the bug. -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#386519: Re: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Hi, On Mon, 11 Sep 2006, Finn-Arne Johansen wrote: I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old 2.4.7-2 and it applied immediately. However I haven't had the time to test if the package upgrades fine and if it still works well. The upgrade did work ok, but I failed to see how it should fix the bug. BUt I haven't had time to look closely at it. I still have the same cookie, that tells when I logged in, the user-name i used to log in with. I'd like other people from [EMAIL PROTECTED] to help out with the testing. Can people confirm that the updated package works fine? It works, but I fail to see how it fixes the bug. The upstream author said: | This upgrade fixes a bug discovered with the sessionid. | | The new procedure is now without a visible sessionid but the login and | password is compared. The cookie for the browser contains a scrambled | string of the login, password and a time value. This scrambled string | which is only visible to the browser is then assembled with the key stored | in the user's config file. In order for someone to crack the code you need | to have the cookie from the browser, which you can only get if someone | eavesdrops, and you also need the key from the user. | | The session will also time out regardless if there is activity or not. So, | if you have the timeout value set to 3600 you will have to enter your | password every hour. I'll take another look at this if I can extend the | session if there is activity. The way it is right now a new key is | generated when a user enters a password. I haven't checked the logic of Dieter's patch but I haven't seen any complaint on the mailing list either. digress I'm quite unhappy with how this security incident has been handled by Dieter as he was aware of the problem for several months! Thus, we should seriously consider packaging ledger-smb (the new fork of sql-ledger) for the future (and maybe drop sql-ledger if the fork stays alive). /digress Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
On Fri, 08 Sep 2006, Chris Morris wrote: Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at http://www.securityfocus.com/archive/1/445512/30/0/threaded Looking at the source of menu.pl it appears to work exactly as Chris Travers describes it. Apparently all versions from 2.4.4 onwards are affected, which includes the version in sarge. I uploaded the new upstream version 2.6.18-1 to sid, it fixes this issue. For sarge, I created 2.4.7-2sarge1 and I uploaded it here: http://people.debian.org/~hertzog/sql-ledger/ It's a full (signed) upload which can simply be uploaded to the security archive (dist=stable-security as per devel ref 5.8.5.3). The patch used is here: http://people.debian.org/~hertzog/sql-ledger/sql-ledger.patch I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old 2.4.7-2 and it applied immediately. However I haven't had the time to test if the package upgrades fine and if it still works well. I'd like other people from [EMAIL PROTECTED] to help out with the testing. Can people confirm that the updated package works fine? Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244
Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at http://www.securityfocus.com/archive/1/445512/30/0/threaded Looking at the source of menu.pl it appears to work exactly as Chris Travers describes it. Apparently all versions from 2.4.4 onwards are affected, which includes the version in sarge. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]