Your message dated Sun, 06 Dec 2009 20:50:06 +0000
with message-id <[email protected]>
and subject line Package gnudip has been removed from Debian
has caused the Debian Bug report #539452,
regarding gnudip: sql injection in gnudip2.cgi (and probably gdips.pl as well)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
539452: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539452
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnudip
Version: 2.1.1-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
gnudip's web interface is vulnerable to SQL injections. If one changes
the email address to something like
[email protected]", level="ADMIN
one gets administrator permissions. The server script gdips.pl also
looks prone to SQL injection attacks.
Regards,
Ansgar
--- End Message ---
--- Begin Message ---
Version: 2.1.1-4.1+rm
You filled the bug http://bugs.debian.org/539452 in Debian BTS
against the package gnudip. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/556748. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
