Raphael Hertzog skrev: > On Tue, 12 Sep 2006, Finn-Arne Johansen wrote: >> Dieter Simader skrev: >>> The sessionid is still there but not used anymore. >>> >>> If you need more info let me know. >> OK, as said - I've tested that the new package installs ok, but I have >> not found the time to check how the bug is fixed. >> >> Since I'm under a rather heavy workload now, I doubt that I can make the >> time to verify anything else than that the upgrade went ok. > > Same for me. I'm rather busy lately and I prepared this patch because it's > a security issue but I do not have time to test the old security-patched > package. > > I have no reason to believe that it would cause major pains however. > Petter, maybe you have some time to test the sarge update? > >> If Raphael understands the patch, I suggest it's uploaded to the >> security mirror, and that a DSA is released. > > Indeed, but I just generated a new version of that update since a second > security issue has been fixed in 2.6.19 (a directory traversal bug). I > also applied applied the fix for the "new window" function which broke due > to the change in the session id handling.
How did that break ? I'm using 2.4.7-2sarge1, and the "new window" function works as far as I can see. So if "new window" should fail to work because of the patch, the patch is not working, since "new window" works for me. I seldom use that function, I rather right-click and selects "open in new TAB" > Please checkout the updated package (and patch) at: > http://people.debian.org/~hertzog/sql-ledger/ well, I do run the same version, but I guess you built a new version with the same version number. Here is the entry from the changelog on the version I'm using: sql-ledger (2.4.7-2sarge1) stable-security; urgency=high * Security upload. * Fix bad handling of sessionid: CVE-2006-4244 Closes: #386519 -- Raphael Hertzog <[EMAIL PROTECTED]> Sun, 10 Sep 2006 21:56:34+0200 -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ Debian-edu developer and Solution provider EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
