Recai Okta? wrote:
> elog (2.5.7+r1558-4+sarge1) stable-security; urgency=high
>
> * Major security update (big thanks to Florian Weimer)
> + Backport r1333 from upstream's Subversion repository:
> "Fixed crashes with very long (revisions) attributes"
> + Backport r1335 from upstream's Subversion repository:
> "Applied patch from Emiliano to fix possible buffer overflow"
> + Backport r1472 from upstream's Subversion repository:
> "Do not distinguish between invalid user name and invalid password
> for security reasons"
> + Backport r1487 from upstream's Subversion repository:
> "Fixed infinite redirection with ?fail=1"
> + Backport r1529 from upstream's Subversion repository:
> "Fixed bug with fprintf and buffer containing "%""
> [Our patch just eliminates the format string vulnerability.]
> + Backport r1620 from upstream's Subversion repository:
> "Prohibit '..' in URLs" [CVE-2006-0347]
> + Backport r1635 from upstream's Subversion repository:
> "Fixed potential buffer overflows" [CVE-2005-4439]
> + Backport r1636 from upstream's Subversion repository:
> "Added IP address to log file"
Why is r1636 necessary? This seems like a new feature (better logging
in case of an attack), but doesn't seem to fix a direct security problem
and could potentially break scripts that monitor the log file and expect
the current logfile file format.
The rest of the patch looks fine.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
