Florian Weimer on 2007-03-24 10:57:39 +0100: > Is it really a good idea to release this with etch, given excerpt from > the README.Debian file below? (Sorry if this has been discussed > before.) > > IMPORTANT SECURITY NOTICE > ------------------------- > SQL-Ledger is known to have many vulnerabilities that are exploitable by > someone who has a user account on this web application. That's why you > should *only* use that application if you trust the users that have access > to it. > > Historically it also had some vulnerabilities that could be exploited even > without having an account. So we advise to you to put this web > application in an authenticated HTTP zone.
debian/postinst unconditionally enables the application in apache (only apache, not apache2), but does not restart the web server to make it available. If it's a security risk and should only be run in an authenticated HTTP zone as the maintainer suggests, perhaps it should not be enabled by default. _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
