Hello, On Sun, 04 Feb 2007, Alex de Oliveira Silva wrote: > Package: sql-ledger > Version: 2.6.22-1 > Severity: important > Tags: security > > Hi. > Maybe sql-ledger is affected by CVE-2007-0667. > > Description: > Separate from CVE-2006-5872, there is a possibility of causing arbitrary > code execution during redirects. This requires a valid login to exploit > and was discovered and brought to the attention of both the SQL-Ledger > and LedgerSMB team in November. LedgerSMB 1.1.5 corred the problem, but > it is still not corrected in SQL-Ledger. > > Reference: > http://www.frsirt.com/english/advisories/2007/0407 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0667
Indeed, none of the vulnerabilities which require an account have been fixed in SQL-Ledger. Chris Travers promised to post an unofficial patch for sql-ledger but I can't find on the sql-ledger mailing list... Chris ? Can you point us to the patch ? Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
