Steven Chamberlain a écrit, le 27/03/2012 01:54:
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain doubl
le backslashes, but that's at the PHP level
replacing \\ with \, and does not lead to vulnerability AFAICT - it just
means that password wont work.
Is that good with you ?
--
Samuel Krempp
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
"Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too. "
H
Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
=important.
following patch just adds the quoting, and was verified to fix the issue.
--
Samuel Krempp
--- /etc/gosa/gosa.conf.befSK 2012-03-25 09:45:33.0 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.0 +0200
@@ -44,7 +44,7
I don't know anything about kerberos stuff.
How to fix on an installed system ? I installed shortly after the r0
release, and got hit by this "2 days later" killer bug.
The discussion so far doesn't give a clear hint on a fix for non-experts
in kerberos like me ...
regard
Package: x11-common
Version: 1:7.0.10
Severity: important
I just used aptitude to upgrade my debian/unstable box (the previous
full update was on 2006-03-19), most notably this upgraded the X system
to 7.0.10. And since then, many X programs are either crashing (mostly
before even displaying anyth
7 matches
Mail list logo
