Florian Weimer
2007-Mar-24 10:13 UTC
[Secure-testing-team] Release sql-ledger as part of etch?
Is it really a good idea to release this with etch, given excerpt from the README.Debian file below? (Sorry if this has been discussed before.) IMPORTANT SECURITY NOTICE ------------------------- SQL-Ledger is known to have many vulnerabilities that are exploitable by someone who has a user account on this web application. That''s why you should *only* use that application if you trust the users that have access to it. Historically it also had some vulnerabilities that could be exploited even without having an account. So we advise to you to put this web application in an authenticated HTTP zone. Summary: SQL-Ledger is not suitable for public installations or for installations with untrusted users. Some pointers: http://bugs.debian.org/409703 http://www.securityfocus.com/archive/1/459264 http://www.securityfocus.com/archive/1/445817
Alec Berryman
2007-Mar-25 00:35 UTC
[Secure-testing-team] Release sql-ledger as part of etch?
Florian Weimer on 2007-03-24 10:57:39 +0100:> Is it really a good idea to release this with etch, given excerpt from > the README.Debian file below? (Sorry if this has been discussed > before.) > > IMPORTANT SECURITY NOTICE > ------------------------- > SQL-Ledger is known to have many vulnerabilities that are exploitable by > someone who has a user account on this web application. That''s why you > should *only* use that application if you trust the users that have access > to it. > > Historically it also had some vulnerabilities that could be exploited even > without having an account. So we advise to you to put this web > application in an authenticated HTTP zone.debian/postinst unconditionally enables the application in apache (only apache, not apache2), but does not restart the web server to make it available. If it''s a security risk and should only be run in an authenticated HTTP zone as the maintainer suggests, perhaps it should not be enabled by default.
Moritz Muehlenhoff
2007-Mar-25 22:21 UTC
[Secure-testing-team] Release sql-ledger as part of etch?
Florian Weimer wrote:> Is it really a good idea to release this with etch, given excerpt from > the README.Debian file below? (Sorry if this has been discussed > before.) > > IMPORTANT SECURITY NOTICE > ------------------------- > SQL-Ledger is known to have many vulnerabilities that are exploitable by > someone who has a user account on this web application. That''s why you > should *only* use that application if you trust the users that have access > to it. > > Historically it also had some vulnerabilities that could be exploited even > without having an account. So we advise to you to put this web > application in an authenticated HTTP zone. > > Summary: SQL-Ledger is not suitable for public installations or for > installations with untrusted users.I recommended to add such a note, the alternative would have been to remove it altogether. Given the nature of the program it seems likely that there are still useful fields of application. BTW, for discussions not directly related to the Security Tracker we should rather use debian-security@ldo. Cheers, Moritz