> Regarding that bug, I've been searching all slash CVS tree and mailing > lists but I wasn't able to find this patch everyone is referring to > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160579;msg=42). > AFAICT no security fix was mad available separately.
Noone said a fix was made available separately. If you read the URL I posted in my first message to this bug report you can see the following response from the slashcode authors: http://marc.theaimsgroup.com/?l=bugtraq&m=103238514720237&w=2 The code changes we have made are as follows: (1) even unsuccessful login attempts, using the URL format we provide, will be given a 302 Redirect to remove the username and (wrong) password from the query string; (2) Slash sites which use our code now must set a variable if they want to offer the "totally insecure" option to their users; by default, for current sites and new sites, it will be off. These code changes are in CVS now and will be on slashdot.org soon. -- see shy jo
signature.asc
Description: Digital signature
