lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <46148617.10109@metatrontech.com>
Date: Wed, 04 Apr 2007 22:16:07 -0700
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589

LedgerSMB 1.2.0 has been released, completing a comprehensive SQL 
injection audit of the code inherited from SQL-Ledger.  Numerous SQL 
injection issues were fixed.  In fact, most fields were not properly 
quoted and escaped.  These problems should affect all known versions of 
SQL-Ledger as well.  The fix was delayed because the scale of the 
changes made required extensive testing-- these were not trivial changes.

Users are advised to upgrade as soon as possible.  However, one should 
also note that (as we have documented in our manual), user permissions 
are not yet strictly enforced.  Therefore, the current recommendation 
that database user accounts are used to enforce privilege separation 
still holds.

Those who maintain security advisory lists should list CVE-2006-5589 as 
now officially closed for LedgerSMB, though it is likely to remain open 
for SQL-Ledger.

Best Wishes,
Chris Travers

View attachment "chris.vcf" of type "text/x-vcard" (172 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ