Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-03-03 Thread Raphael Hertzog
severity 409703 important retitle 409703 SQL-ledger unsafe for use with untrusted users or public installations tags 409703 + wontfix thanks On Fri, 02 Mar 2007, Steve Langasek wrote: > > I've done that but I closed the bug, so that its progression in etch can be > > properly tracked. We ought to

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-03-02 Thread Steve Langasek
reopen 409703 thanks On Thu, Mar 01, 2007 at 03:57:51PM +0100, Raphael Hertzog wrote: > On Wed, 28 Feb 2007, Moritz Muehlenhoff wrote: > > We talked about this before in private mail. Please either > > a) Document clearly in README.Debian that sql-ledger is not suitable > > for public installatio

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-03-01 Thread Raphael Hertzog
On Wed, 28 Feb 2007, Moritz Muehlenhoff wrote: > We talked about this before in private mail. Please either > > a) Document clearly in README.Debian that sql-ledger is not suitable > for public installations w/o completely trusted users (which could even > in ordner for an accounting solution) and

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-02-28 Thread Moritz Muehlenhoff
severity 409703 grave thanks Raphael Hertzog wrote: > Indeed, none of the vulnerabilities which require an account have been > fixed in SQL-Ledger. Chris Travers promised to post an unofficial patch > for sql-ledger but I can't find on the sql-ledger mailing list... We talked about this before i

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-02-05 Thread Chris Travers
This patch was made against 2.6.18 but could be applicable to many other versions as well. It alters the redirect() subroutine in the Form.pm to effectively whitelist scripts. Raphael Hertzog wrote: Hello, On Sun, 04 Feb 2007, Alex de Oliveira Silva wrote: Package: sql-ledger Version: 2.

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-02-05 Thread Raphael Hertzog
Hello, On Sun, 04 Feb 2007, Alex de Oliveira Silva wrote: > Package: sql-ledger > Version: 2.6.22-1 > Severity: important > Tags: security > > Hi. > Maybe sql-ledger is affected by CVE-2007-0667. > > Description: > Separate from CVE-2006-5872, there is a possibility of causing arbitrary > code e

Bug#409703: CVE-2007-0667: sql-ledger: Arbitrary Code Execution

2007-02-04 Thread Alex de Oliveira Silva
Package: sql-ledger Version: 2.6.22-1 Severity: important Tags: security Hi. Maybe sql-ledger is affected by CVE-2007-0667. Description: Separate from CVE-2006-5872, there is a possibility of causing arbitrary code execution during redirects. This requires a valid login to exploit and was discove