CVE-2009-4402 CVE-2009-3580 CVE-2009-3581 CVE-2009-3582 CVE-2009-3583 CVE-2009-3584

Debian Bug report logs - #562639
CVE-2009-4402 CVE-2009-3580 CVE-2009-3581 CVE-2009-3582 CVE-2009-3583 CVE-2009-3584

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-4402 CVE-2009-3580 CVE-2009-3581 CVE-2009-3582 CVE-2009-3583 CVE-2009-3584

Date: Sat, 26 Dec 2009 19:04:35 +0100

Package: sql-ledger
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for sql-ledger.

CVE-2009-4402[0]:
| The default configuration of SQL-Ledger 2.8.24 allows remote attackers
| to perform unspecified administrative operations by providing an
| arbitrary password to the admin interface.

CVE-2009-3580[1]:
| Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger
| 2.8.24 allows remote attackers to hijack the authentication of
| arbitrary users for requests that change a password via the login,
| new_password, and confirm_password parameters in a preferences action.

CVE-2009-3581[2]:
| Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger
| 2.8.24 allow remote authenticated users to inject arbitrary web script
| or HTML via (1) the DCN Description field in the Accounts Receivables
| menu item for Add Transaction, (2) the Description field in the
| Accounts Payable menu item for Add Transaction, or the name field in
| (3) the Customers menu item for Add Customer or (4) the Vendor menu
| item for Add Vendor.

CVE-2009-3582[3]:
| Multiple SQL injection vulnerabilities in the delete subroutine in
| SQL-Ledger 2.8.24 allow remote authenticated users to execute
| arbitrary SQL commands via the (1) id and possibly (2) db parameters
| in a Delete action to the output of a Vendors>Reports>Search search
| operation.

CVE-2009-3583[4]:
| Directory traversal vulnerability in the Preferences menu item in
| SQL-Ledger 2.8.24 allows remote attackers to include and execute
| arbitrary local files via a .. (dot dot) in the countrycode field.

CVE-2009-3584[5]:
| SQL-Ledger 2.8.24 does not set the secure flag for the session cookie
| in an https session, which makes it easier for remote attackers to
| capture this cookie by intercepting its transmission within an http
| session.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4402
    http://security-tracker.debian.org/tracker/CVE-2009-4402
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3580
    http://security-tracker.debian.org/tracker/CVE-2009-3580
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3581
    http://security-tracker.debian.org/tracker/CVE-2009-3581
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3582
    http://security-tracker.debian.org/tracker/CVE-2009-3582
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3583
    http://security-tracker.debian.org/tracker/CVE-2009-3583
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3584
    http://security-tracker.debian.org/tracker/CVE-2009-3584


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks2UC4ACgkQNxpp46476aqnFgCcDTCmNFfWryCQzP8BdtX+offK
NJMAn270NMaZzk7L00r7HWDMrCOGhe1D
=qtdH
-----END PGP SIGNATURE-----

Message #10 received at 562639@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Giuseppe Iuculano <iuculano@debian.org>, 562639@bugs.debian.org

Subject: Re: Bug#562639: CVE-2009-4402 CVE-2009-3580 CVE-2009-3581 CVE-2009-3582 CVE-2009-3583 CVE-2009-3584

Date: Wed, 13 Jan 2010 11:36:17 +0100

severity 562639 important
thanks

> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for sql-ledger.

The package is clearly identified as being usable only in trusted
environments, and it's tagged secteam::lenny-limited-support.

Thus it doesn't warrant a grave severity. Given that upstream doesn't
care at all, it's quite possible that some of them are fixed but we don't
know and most reports do not come with simple test cases or with patches
so there's not much I can do except if I spend countless hours reproducing
the issues and writing patches myself (which I won't).

Cheers,
-- 
Raphaël Hertzog

Message #17 received at 562639-done@bugs.debian.org (full text, mbox, reply):

From: Nikolai Lusan <nikolai@lusan.id.au>

To: 562639-done@bugs.debian.org

Subject: Version: 2.8.32-1

Date: Wed, 20 Jun 2012 20:27:17 +1000

[Message part 1 (text/plain, inline)]

Version: 2.8.32-1

This bug was closed in the upstream release 2.8.32 and in the subsequent
Debian package 2.8.32-1. Marked in the upstream Changelog as "fixed SQL
injection"
-- 
Nikolai Lusan <nikolai@lusan.id.au>

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.