Package: knowledgetree Severity: grave Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2007-2849 [0]: "KnowledgeTree Document Management (aka KnowledgeTree Open Source) before STABLE 3.3.7 does not require a password for an unregistered user, when the user exists in Active Directory, which allows remote attackers to log onto KTDMS without the intended authorization check." The CVE mentions versions before 3.3.7; while Debian's version 2.0.7 does have Active Directory support, it is much older than the version referenced in the advisory and may not be vulnerable. In either case, version 3.3.7 fixes this issue [1]. Please include the CVE in your changelog. Thanks, Alec [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2849 [1] http://sourceforge.net/project/shownotes.php?release_id=510338 - -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGj9eYAud/2YgchcQRAv+TAJ9YKyhIda4yZudIxCpJWhhWkQvBsQCeOouW xIBawaImx1O3y6l9gcyCcxM= =med2 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]