Re: Package: sql-ledger (2.8.33-1)
Hello Dieter,
On Wed, 08 Jun 2011, Simon Paillard wrote:
> Hi,
>
> On Mon, Jun 06, 2011 at 08:59:32PM -0600, Dieter Simader wrote:
> > NOTE: This package does not benefit from serious security support and
> > you should use it only in a trusted environment. It's known to be
> > affected by multiple SQL injections and similar problems. See the
> > README.Debian file for more information.
> >
> > Please see:
> > http://sql-ledger.com/cgi-bin/nav.pl?page=misc/changelog.html&title=Changelog
I would gladly remove that statement if you could respond to security
alerts in a proper manner, i.e. pushing out timely fixes when the security
issues are reported and acknowledging the security fixes by referencing
the corresponding CVE number.
For a start, there are many outstanding security issues in our
bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446366
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562639
They report the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3584
Can you tell me which of those issues have been fixed (and in which
version if possible) ?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)
Reply to: