Your message dated Sat, 06 Sep 2008 11:25:14 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#484499: fixed in slash 2.2.6-8etch1
has caused the Debian Bug report #484499,
regarding slash: possible SQL injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
484499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484499
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: slash
Severity: grave
Tags: security
Justification: user security hole
Hi
A possible SQL injection vulnerability was discovered in slash.
The vulnerability was an SQL injection. Its effect was to allow a user
with no special authorization to read any information from any table the
Slash site's mysql user was authorized to read (which may include other
databases, including information_schema).
More information can be found here[0].
The upstream patch can be found here[1].
Cheers
Steffen
[0]: http://www.slashcode.com/article.pl?sid=08/01/07/2314232
[1]:
http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225
--- End Message ---
--- Begin Message ---
Source: slash
Source-Version: 2.2.6-8etch1
We believe that the bug you reported is fixed in the latest version of
slash, which is due to be installed in the Debian FTP archive:
slash_2.2.6-8etch1.diff.gz
to pool/main/s/slash/slash_2.2.6-8etch1.diff.gz
slash_2.2.6-8etch1.dsc
to pool/main/s/slash/slash_2.2.6-8etch1.dsc
slash_2.2.6-8etch1_amd64.deb
to pool/main/s/slash/slash_2.2.6-8etch1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <[EMAIL PROTECTED]> (supplier of updated slash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 14 Jul 2008 02:17:10 +0200
Source: slash
Binary: slash
Architecture: source amd64
Version: 2.2.6-8etch1
Distribution: stable-security
Urgency: high
Maintainer: Axel Beckert <[EMAIL PROTECTED]>
Changed-By: Axel Beckert <[EMAIL PROTECTED]>
Description:
slash - The code that runs Slashdot
Closes: 484499
Changes:
slash (2.2.6-8etch1) stable-security; urgency=high
.
* Security fixes for CVE-2008-2231 and CVE-2008-2553 (Closes: #484499)
Files:
70b86d7e0c6f4d70e6ecc1e027739be5 954 web extra slash_2.2.6-8etch1.dsc
a9886e1e08e47e0db4f3ba3e750102ff 584128 web extra slash_2.2.6.orig.tar.gz
2b23a32433e9b168b09ad43e0fd1d160 21622 web extra slash_2.2.6-8etch1.diff.gz
e81e95ed88e082dc56cd10b3770c4360 588970 web extra slash_2.2.6-8etch1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJIuuWsAAoJEL97/wQC1SS+0FgIAJL7Mihr5uJVC1VchY0zWcUU
FXRhTyFqY23Vq9Ue/e+aCf5fZO9izSG6cU03j+u9CZOkWxJMSDQxrQRDBJDTp8K2
VJci3qNCtRgmV8tgKkECoSj8zR8VB5OeIbNZSeHcgQyz5mGhpd8o4i6AAa5OraTt
nSmJoYzR+AhraJbZ7FlwOthiG6VWL9RXuUO+UPLX1pveNU0wJRezjzGSfuye6AZM
/i/U0QIvIQEnCDbOw572uKf2YRMstd1H8wP6e9AyEXjvjG69fGrCyE2Vvva0aoL7
JYnMT0qnQgMzTQzbPv3dbHvWQGw4E2w/YFx4NHyxsMp6ZCYhC3BgrMIGxkFIHLM=
=/gQw
-----END PGP SIGNATURE-----
--- End Message ---
