DSA-1239-1 sql-ledger -- several vulnerabilities

Date Reported:
17 Dec 2006
Affected Packages:
sql-ledger
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 386519.
In Mitre's CVE dictionary: CVE-2006-4244, CVE-2006-4731, CVE-2006-5872.

More information:
Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2006-4244
Chris Travers discovered that the session management can be tricked into hijacking existing sessions.

CVE-2006-4731
Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code.

CVE-2006-5872
It was discovered that missing input sanitising allows execution of arbitrary Perl code.

For the stable distribution (sarge) these problems have been fixed in version 2.4.7-2sarge1.

For the upcoming stable distribution (etch) these problems have been fixed in version 2.6.21-1.

For the unstable distribution (sid) these problems have been fixed in version 2.6.21-1.

We recommend that you upgrade your sql-ledger packages.

Fixed in:
Debian GNU/Linux 3.1 (sarge)
Source:
http://security.debian.org/pool/updates/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1.dsc

http://security.debian.org/pool/updates/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1.diff.gz

http://security.debian.org/pool/updates/main/s/sql-ledger/sql-ledger_2.4.7.orig.tar.gz

Architecture-independent component:
http://security.debian.org/pool/updates/main/s/sql-ledger/sql-ledger_2.4.7-2sarge1_all.deb

MD5 checksums of the listed files are available in the original advisory.