-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 11 Nov 2006 19:47:39 +0200 Source: elog Binary: elog Architecture: source i386 Version: 2.6.2+r1754-1 Distribution: unstable Urgency: low Maintainer: Recai OktaÅ <[EMAIL PROTECTED]> Changed-By: Recai OktaÅ <[EMAIL PROTECTED]> Description: elog - Logbook system to manage notes through a Web interface Closes: 397875 Changes: elog (2.6.2+r1754-1) unstable; urgency=low . * New upstream release grabbed from Subversion (r1754), includes fixes for a bunch of security issues[1]: + Fixes from Ulf Harnhammar (Debian Security Audit Project): - There are some incorrect handling of *printf() calls and format strings. They lead to ELOG crashing completely, with the potential of executing arbitrary machine code programs, when a user uploads and submits as the first attachment in an entry a file called "%n%n%n%n" - or similar - which must not be empty. - There is a Cross-site Scripting issue when requesting correctly named but non-existant files for downloading. - There are also Cross-site Scripting issues when creating new entries with New. If a document sends data to ELOG where the fields Type and Category contain invalid entries with HTML code, the resulting error document will print the Type or Category data as-is with no quoting. + Fixes from OS2A team (credits go to Jayesh KS and Arun Kethipelly): - Remote exploitation of a denial of service vulnerability in ELOG's elogd server allows attackers to crash the service, thereby preventing legitimate access. (Closes: #397875) [1] Leaving #392016 open for the reasons stated in that report. Files: 217fd559b3d1020fe33c581a5a4a25bb 571 web optional elog_2.6.2+r1754-1.dsc 9f954f72bd281c598e22b1ba129c967f 763534 web optional elog_2.6.2+r1754.orig.tar.gz e8c7f56087353d645ba35ff311024a9a 12892 web optional elog_2.6.2+r1754-1.diff.gz d4050f06d569c92fd9d94e7ef6bb5e36 757584 web optional elog_2.6.2+r1754-1_i386.deb
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFVhGRnA44mz/SXIQRAviOAJ4uz2Lgn+gkBlu2VO2ytei4DhPbyQCfbmeW R1zkjlq874uPwW+LTbFIfE0= =PrW7 -----END PGP SIGNATURE----- Accepted: elog_2.6.2+r1754-1.diff.gz to pool/main/e/elog/elog_2.6.2+r1754-1.diff.gz elog_2.6.2+r1754-1.dsc to pool/main/e/elog/elog_2.6.2+r1754-1.dsc elog_2.6.2+r1754-1_i386.deb to pool/main/e/elog/elog_2.6.2+r1754-1_i386.deb elog_2.6.2+r1754.orig.tar.gz to pool/main/e/elog/elog_2.6.2+r1754.orig.tar.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]