Debian Security Advisory
DSA-1239-1 sql-ledger -- several vulnerabilities
- Date Reported:
- 17 Dec 2006
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 386519.
In Mitre's CVE dictionary: CVE-2006-4244, CVE-2006-4731, CVE-2006-5872.
- More information:
Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Chris Travers discovered that the session management can be tricked into hijacking existing sessions.
Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code.
It was discovered that missing input sanitising allows execution of arbitrary Perl code.
For the stable distribution (sarge) these problems have been fixed in version 2.4.7-2sarge1.
For the upcoming stable distribution (etch) these problems have been fixed in version 2.6.21-1.
For the unstable distribution (sid) these problems have been fixed in version 2.6.21-1.
We recommend that you upgrade your sql-ledger packages.
- Fixed in:
Debian GNU/Linux 3.1 (sarge)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.