Hi, On Mon, 11 Sep 2006, Finn-Arne Johansen wrote: > > I simply applied the relevant changes between 2.6.17 and 2.6.18 to the old > > 2.4.7-2 and it applied immediately. However I haven't had the time to test > > if the package upgrades fine and if it still works well. > > The upgrade did work ok, but I failed to see how it should fix the bug. > BUt I haven't had time to look closely at it. > > I still have the same cookie, that tells when I logged in, the user-name > i used to log in with. > > > I'd like other people from [EMAIL PROTECTED] to help out > > with the testing. Can people confirm that the updated package works fine? > > It works, but I fail to see how it fixes the bug.
The upstream author said: | This upgrade fixes a bug discovered with the sessionid. | | The new procedure is now without a visible sessionid but the login and | password is compared. The cookie for the browser contains a scrambled | string of the login, password and a time value. This scrambled string | which is only visible to the browser is then assembled with the key stored | in the user's config file. In order for someone to crack the code you need | to have the cookie from the browser, which you can only get if someone | eavesdrops, and you also need the key from the user. | | The session will also time out regardless if there is activity or not. So, | if you have the timeout value set to 3600 you will have to enter your | password every hour. I'll take another look at this if I can extend the | session if there is activity. The way it is right now a new key is | generated when a user enters a password. I haven't checked the logic of Dieter's patch but I haven't seen any complaint on the mailing list either. <digress> I'm quite unhappy with how this security incident has been handled by Dieter as he was aware of the problem for several months! Thus, we should seriously consider packaging ledger-smb (the new fork of sql-ledger) for the future (and maybe drop sql-ledger if the fork stays alive). </digress> Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
