Back to elog PTS page

Accepted elog 2.6.2+r1754-1 (source i386)

To: debian-devel-changes@lists.debian.org
Subject: Accepted elog 2.6.2+r1754-1 (source i386)
From: Recai Oktaş <roktas@debian.org>
Date: Sat, 11 Nov 2006 10:17:12 -0800
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1GixPk-0001VK-Bj@spohr.debian.org>
Reply-to: debian-devel@lists.debian.org
Sender: Archive Administrator <dak@ftp-master.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 11 Nov 2006 19:47:39 +0200
Source: elog
Binary: elog
Architecture: source i386
Version: 2.6.2+r1754-1
Distribution: unstable
Urgency: low
Maintainer: Recai OktaÅ <roktas@debian.org>
Changed-By: Recai OktaÅ <roktas@debian.org>
Description: 
 elog       - Logbook system to manage notes through a Web interface
Closes: 397875
Changes: 
 elog (2.6.2+r1754-1) unstable; urgency=low
 .
   * New upstream release grabbed from Subversion (r1754), includes
     fixes for a bunch of security issues[1]:
     + Fixes from Ulf Harnhammar (Debian Security Audit Project):
       - There are some incorrect handling of *printf() calls and format
         strings. They lead to ELOG crashing completely, with the potential
         of executing arbitrary machine code programs, when a user uploads
         and submits as the first attachment in an entry a file called
         "%n%n%n%n" - or similar - which must not be empty.
       - There is a Cross-site Scripting issue when requesting correctly
         named but non-existant files for downloading.
       - There are also Cross-site Scripting issues when creating new
         entries with New. If a document sends data to ELOG where the fields
         Type and Category contain invalid entries with HTML code, the
         resulting error document will print the Type or Category data as-is
         with no quoting.
     + Fixes from OS2A team (credits go to Jayesh KS and Arun Kethipelly):
       - Remote exploitation of a denial of service vulnerability in ELOG's
         elogd server allows attackers to crash the service, thereby
         preventing legitimate access.  (Closes: #397875)
     [1] Leaving #392016 open for the reasons stated in that report.
Files: 
 217fd559b3d1020fe33c581a5a4a25bb 571 web optional elog_2.6.2+r1754-1.dsc
 9f954f72bd281c598e22b1ba129c967f 763534 web optional elog_2.6.2+r1754.orig.tar.gz
 e8c7f56087353d645ba35ff311024a9a 12892 web optional elog_2.6.2+r1754-1.diff.gz
 d4050f06d569c92fd9d94e7ef6bb5e36 757584 web optional elog_2.6.2+r1754-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFVhGRnA44mz/SXIQRAviOAJ4uz2Lgn+gkBlu2VO2ytei4DhPbyQCfbmeW
R1zkjlq874uPwW+LTbFIfE0=
=PrW7
-----END PGP SIGNATURE-----


Accepted:
elog_2.6.2+r1754-1.diff.gz
  to pool/main/e/elog/elog_2.6.2+r1754-1.diff.gz
elog_2.6.2+r1754-1.dsc
  to pool/main/e/elog/elog_2.6.2+r1754-1.dsc
elog_2.6.2+r1754-1_i386.deb
  to pool/main/e/elog/elog_2.6.2+r1754-1_i386.deb
elog_2.6.2+r1754.orig.tar.gz
  to pool/main/e/elog/elog_2.6.2+r1754.orig.tar.gz