[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46148617.10109@metatrontech.com>
Date: Wed, 04 Apr 2007 22:16:07 -0700
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589
LedgerSMB 1.2.0 has been released, completing a comprehensive SQL
injection audit of the code inherited from SQL-Ledger. Numerous SQL
injection issues were fixed. In fact, most fields were not properly
quoted and escaped. These problems should affect all known versions of
SQL-Ledger as well. The fix was delayed because the scale of the
changes made required extensive testing-- these were not trivial changes.
Users are advised to upgrade as soon as possible. However, one should
also note that (as we have documented in our manual), user permissions
are not yet strictly enforced. Therefore, the current recommendation
that database user accounts are used to enforce privilege separation
still holds.
Those who maintain security advisory lists should list CVE-2006-5589 as
now officially closed for LedgerSMB, though it is likely to remain open
for SQL-Ledger.
Best Wishes,
Chris Travers
View attachment "chris.vcf" of type "text/x-vcard" (172 bytes)
Powered by blists - more mailing lists