Recai Okta? wrote: > elog (2.5.7+r1558-4+sarge1) stable-security; urgency=high > > * Major security update (big thanks to Florian Weimer) > + Backport r1333 from upstream's Subversion repository: > "Fixed crashes with very long (revisions) attributes" > + Backport r1335 from upstream's Subversion repository: > "Applied patch from Emiliano to fix possible buffer overflow" > + Backport r1472 from upstream's Subversion repository: > "Do not distinguish between invalid user name and invalid password > for security reasons" > + Backport r1487 from upstream's Subversion repository: > "Fixed infinite redirection with ?fail=1" > + Backport r1529 from upstream's Subversion repository: > "Fixed bug with fprintf and buffer containing "%"" > [Our patch just eliminates the format string vulnerability.] > + Backport r1620 from upstream's Subversion repository: > "Prohibit '..' in URLs" [CVE-2006-0347] > + Backport r1635 from upstream's Subversion repository: > "Fixed potential buffer overflows" [CVE-2005-4439] > + Backport r1636 from upstream's Subversion repository: > "Added IP address to log file"
Why is r1636 necessary? This seems like a new feature (better logging in case of an attack), but doesn't seem to fix a direct security problem and could potentially break scripts that monitor the log file and expect the current logfile file format. The rest of the patch looks fine. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]