Package: gosa
Version: 2.5.6-2
Severity: grave
Tags: security
Justification: user security hole
I'm filing this bug to track that gosa in Etch is still vulnerable
to the vulnerability fixed in 2.5.8:
| - Security fix, that removes the possibility to change several settings
| for non priviledged users.
|
| I encourage everyone who is using 2.5.x releases to upgrade to 2.5.8. As
| reported by Torben Mühlbach it is possible to alter some values when tricking
| around with POST values directly. It is even possible to expose the
| administrator rights: we were able to change an admin password without the
| required privileges - which should be considered critical.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
