LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589
- From: Chris Travers <chris@xxxxxxxxxxxxxxxx>
- Date: Wed, 04 Apr 2007 22:16:07 -0700
LedgerSMB 1.2.0 has been released, completing a comprehensive SQL injection audit of the code inherited from SQL-Ledger. Numerous SQL injection issues were fixed. In fact, most fields were not properly quoted and escaped. These problems should affect all known versions of SQL-Ledger as well. The fix was delayed because the scale of the changes made required extensive testing-- these were not trivial changes.
Users are advised to upgrade as soon as possible. However, one should also note that (as we have documented in our manual), user permissions are not yet strictly enforced. Therefore, the current recommendation that database user accounts are used to enforce privilege separation still holds.
Those who maintain security advisory lists should list CVE-2006-5589 as now officially closed for LedgerSMB, though it is likely to remain open for SQL-Ledger.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
- Prev by Date: Re: [WEB SECURITY] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug
- Next by Date: [ MDKSA-2007:080 ] - Updated tightvnc packages fix integer overflow vulnerabilities
- Previous by thread: [ MDKSA-2007:079 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities
- Next by thread: [ MDKSA-2007:080 ] - Updated tightvnc packages fix integer overflow vulnerabilities
- Index(es):
Relevant Pages
|
