diff options
| author | lth <lth@FreeBSD.org> | 2007-03-16 19:48:32 +0800 |
|---|---|---|
| committer | lth <lth@FreeBSD.org> | 2007-03-16 19:48:32 +0800 |
| commit | ae8958d2c449a7a88a62d94da8920a8b728e5171 (patch) | |
| tree | e8661b14ffcde1ddbb76b45d8228e0698e686712 /security/vuxml | |
| parent | ae87036659f1e63ae80d02a096367b0b33e6a833 (diff) | |
| download | freebsd-ports-gnome-ae8958d2c449a7a88a62d94da8920a8b728e5171.tar.gz freebsd-ports-gnome-ae8958d2c449a7a88a62d94da8920a8b728e5171.tar.zst freebsd-ports-gnome-ae8958d2c449a7a88a62d94da8920a8b728e5171.zip | |
Document sql-ledger vulnerability
PR: ports/110350
Submitted by: Antoine Beaupre <anarcat@koumbit.org>
Diffstat (limited to 'security/vuxml')
| -rw-r--r-- | security/vuxml/vuln.xml | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 74dc977d7eb7..e70741f63fcd 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,47 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="8e02441d-d39c-11db-a6da-0003476f14d3"> + <topic>sql-ledger -- security bypass vulnerability</topic> + <affects> + <package> + <name>sql-ledger</name> + <range><lt>sql-ledger-2.6.26</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Chris Travers reports:</p> + <blockquote cite="http://www.securityfocus.com/archive/1/462375"> + <p>George Theall of Tenable Security notified the LedgerSMB + core team today of an authentication bypass vulnerability + allowing full access to the administrator interface of + LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused + by the password checking routine failing to enforce a + password check under certain circumstances. The user + can then create accounts or effect denial of service + attacks.</p> + <p>This is not related to any previous CVE.</p> + <p>We have coordinated with the SQL-Ledger vendor and + today both of us released security patches correcting + the problem. SQL-Ledger users who can upgrade to 2.6.26 + should do so, and LedgerSMB 1.1 or 1.0 users should + upgrade to 1.1.9. Users who cannot upgrade should + configure their web servers to use http authentication + for the admin.pl script in the main root directory.</p> + </blockquote> + </body> + </description> + <references> + <freebsdpr>ports/110350</freebsdpr> + <url>http://www.securityfocus.com/archive/1/462375</url> + </references> + <dates> + <discovery>2007-03-09</discovery> + <entry>2007-03-16</entry> + </dates> + </vuln> + <vuln vid="f951cf4a-a1fe-11db-98f9-0004aca3703d"> <topic>cacti -- remote injection exploit</topic> <affects> |