Back to elog PTS page

Accepted elog 2.5.7+r1558-4+sarge3 (source i386)

To: debian-changes@lists.debian.org
Subject: Accepted elog 2.5.7+r1558-4+sarge3 (source i386)
From: Recai Oktaş <roktas@debian.org>
Date: Sat, 17 Feb 2007 12:09:58 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1HIOO6-0005HT-DJ@ries.debian.org>
Reply-to: debian-devel@lists.debian.org
Sender: Archive Administrator <dak@ftp-master.debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 25 Nov 2006 13:50:17 +0200
Source: elog
Binary: elog
Architecture: source i386
Version: 2.5.7+r1558-4+sarge3
Distribution: stable-security
Urgency: high
Maintainer: Recai OktaÅ <roktas@omu.edu.tr>
Changed-By: Recai OktaÅ <roktas@debian.org>
Description: 
 elog       - Logbook system to manage notes through a Web interface
Changes: 
 elog (2.5.7+r1558-4+sarge3) stable-security; urgency=high
 .
   * Security update:
     + Backport r1748-r1745 from upstream's Subversion repository:
       "Prevent crash if logbook 'global*' is accessed and a logbook
        'global*' is defined in config file"
       This bug was reported by OS2A team.  More details could be found in
       "#397875: ELOG Web Logbook Remote Denial of Service Vulnerability"
     + Backport the patch from Debian Security Audit team (r1749 in
       repository).  Thanks to Ulf Harnhammar.   Details could be found
       in #392016.  Short excerpt from this bug report is quoted below:
       "There are some incorrect handling of *printf() calls and format
        strings. They lead to ELOG crashing completely, with the potential
        of executing arbitrary machine code programs under some conditions.
        There are also some cross-site scripting issues."
     + HTML log entries are open to XSS vulnerabilites as demonstrated in
       #389361.  Though HTML mode had not been enabled by default in this
       version of Elog, add "HTML default = 2" option to elog.conf for extra
       safety.  Thanks to this option, the checkbox which enables HTML mode
       is not even shown during log entry.
Files: 
 c072e867caa0058ac44cbd69c6afff51 581 web optional elog_2.5.7+r1558-4+sarge3.dsc
 0718302e60a98844f27cd6eab336c5ce 23758 web optional elog_2.5.7+r1558-4+sarge3.diff.gz
 c14108b91d171ac38b0104ae769cfc96 514786 web optional elog_2.5.7+r1558-4+sarge3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFkq+NXm3vHE4uyloRAl77AJ9+BYdzRGuX0L4Be834+AHjpSkgBACgu7Vm
IRQCcTAGvWoBzc1RpD36XD4=
=xft2
-----END PGP SIGNATURE-----


Accepted:
elog_2.5.7+r1558-4+sarge3.diff.gz
  to pool/main/e/elog/elog_2.5.7+r1558-4+sarge3.diff.gz
elog_2.5.7+r1558-4+sarge3.dsc
  to pool/main/e/elog/elog_2.5.7+r1558-4+sarge3.dsc
elog_2.5.7+r1558-4+sarge3_i386.deb
  to pool/main/e/elog/elog_2.5.7+r1558-4+sarge3_i386.deb