Several remote vulnerabilities have been discovered in elog, a web-based electronic logbook, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-5063 Tilman Koschnick discovered that log entry editing in HTML is vulnerable to cross-site scripting. This update disables the vulnerable code. CVE-2006-5790 Ulf Härnhammar of the Debian Security Audit Project discovered several format string vulnerabilities in elog, which may lead to execution of arbitrary code. CVE-2006-5791 Ulf Härnhammar of the Debian Security Audit Project discovered cross-site scripting vulnerabilities in the creation of new logbook entries. CVE-2006-6318 Jayesh KS and Arun Kethipelly of OS2A discovered that elog performs insufficient error handling in config file parsing, which may lead to denial of service through a NULL pointer dereference. For the stable distribution (sarge) these problems have been fixed in version 2.5.7+r1558-4+sarge3. The upcoming stable distribution (etch) will no longer include elog. For the unstable distribution (sid) these problems have been fixed in version 2.6.2+r1754-1. We recommend that you upgrade your elog package.
Several remote vulnerabilities have been discovered in elog, a web-based electronic logbook, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Tilman Koschnick discovered that log entry editing in HTML is vulnerable to cross-site scripting. This update disables the vulnerable code.
Ulf Härnhammar of the Debian Security Audit Project discovered several format string vulnerabilities in elog, which may lead to execution of arbitrary code.
Ulf Härnhammar of the Debian Security Audit Project discovered cross-site scripting vulnerabilities in the creation of new logbook entries.
Jayesh KS and Arun Kethipelly of OS2A discovered that elog performs insufficient error handling in config file parsing, which may lead to denial of service through a NULL pointer dereference.
For the stable distribution (sarge) these problems have been fixed in version 2.5.7+r1558-4+sarge3.
The upcoming stable distribution (etch) will no longer include elog.
For the unstable distribution (sid) these problems have been fixed in version 2.6.2+r1754-1.
We recommend that you upgrade your elog package.
MD5 checksums of the listed files are available in the original advisory.