Hello Dieter, On Wed, 08 Jun 2011, Simon Paillard wrote: > Hi, > > On Mon, Jun 06, 2011 at 08:59:32PM -0600, Dieter Simader wrote: > > NOTE: This package does not benefit from serious security support and > > you should use it only in a trusted environment. It's known to be > > affected by multiple SQL injections and similar problems. See the > > README.Debian file for more information. > > > > Please see: > > http://sql-ledger.com/cgi-bin/nav.pl?page=misc/changelog.html&title=Changelog
I would gladly remove that statement if you could respond to security alerts in a proper manner, i.e. pushing out timely fixes when the security issues are reported and acknowledging the security fixes by referencing the corresponding CVE number. For a start, there are many outstanding security issues in our bug tracker: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446366 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562639 They report the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3583 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3584 Can you tell me which of those issues have been fixed (and in which version if possible) ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Follow my Debian News ▶ http://RaphaelHertzog.com (English) ▶ http://RaphaelHertzog.fr (Français) -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110608194456.gh21...@rivendell.home.ouaza.com
