tag 160579 security
thanks

We don't just use the security tag in the bts for security holes that
are limited to shell exploits. This particular problem, which by the way
has been assigned CVE id CAN-2002-1647, allows interception of some
user's passwords, and hijacking of their slash accounts, which can be
considered a security hole. Especially if a user is unwise enough to
reuse that password elsewhere.

Anyway, upstream does *not* consider the lack of redirect a feature.
Upstream was changed years ago to always redirect to a url that does not
contain the password, even if the password is incorrect, and the Debian
package should be updated.

See http://marc.theaimsgroup.com/?l=bugtraq&m=103238514720237&w=2

-- 
see shy jo

Attachment: signature.asc
Description: Digital signature

Reply via email to