Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-12 Thread Finn-Arne Johansen
Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since I'm under a rather heavy workload now, I doubt that I can

Bug#386519: Re: Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-12 Thread Raphael Hertzog
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is fixed. Since

Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-12 Thread Finn-Arne Johansen
Raphael Hertzog skrev: On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Dieter Simader skrev: The sessionid is still there but not used anymore. If you need more info let me know. OK, as said - I've tested that the new package installs ok, but I have not found the time to check how the bug is

Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-12 Thread Raphael Hertzog
On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: Indeed, but I just generated a new version of that update since a second security issue has been fixed in 2.6.19 (a directory traversal bug). I also applied applied the fix for the new window function which broke due to the change in the

Bug#386519: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-11 Thread Finn-Arne Johansen
Raphael Hertzog skrev: On Fri, 08 Sep 2006, Chris Morris wrote: Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at

Bug#386519: Re: [Pkg-sql-ledger-discussion] Re: Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-11 Thread Raphael Hertzog
Hi, On Mon, 11 Sep 2006, Finn-Arne Johansen wrote: I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old 2.4.7-2 and it applied immediately. However I haven't had the time to test if the package upgrades fine and if it still works well. The upgrade did work ok, but I

Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-10 Thread Raphael Hertzog
On Fri, 08 Sep 2006, Chris Morris wrote: Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at http://www.securityfocus.com/archive/1/445512/30/0/threaded Looking at the

Bug#386519: sql-ledger: Security vulnerability CVE-2006-4244

2006-09-08 Thread Chris Morris
Package: sql-ledger Severity: grave Tags: security Justification: user security hole http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-4244 Recently fully disclosed at http://www.securityfocus.com/archive/1/445512/30/0/threaded Looking at the source of menu.pl it appears to work exactly as