Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   ELOG security vulnerability fixed, IMPORTANT!!!!, posted by Stefan Ritt on Mon Feb 14 12:36:30 2005 
    icon4.gif   Re: ELOG security vulnerability fixed, IMPORTANT!!!!, posted by Recai Oktas on Mon Feb 14 18:49:44 2005 
Message ID: 943     Entry time: Mon Feb 14 18:49:44 2005     In reply to: 941
Icon: Warning  Author: Recai Oktas  Author Email: roktas@omu.edu.tr 
Category: Info  OS: Linux  ELOG Version: 2.5.7 
Subject: Re: ELOG security vulnerability fixed, IMPORTANT!!!!  
Attention to Debian users;

I've prepared the fixed package and also contacted to Debian Security Team for
an urgent security upload.  Since then you may wish to update your package from
the following URL:

  http://l10n-turkish.alioth.debian.org/debian/elog_2.5.7+r1558-1_i386.deb

Or you can also make an update via apt-get by adding the below line to your
'/etc/apt/sources.list' file:

  deb http://l10n-turkish.alioth.debian.org/debian/ ./

> The second vulnerability had to do with write passwords. If you put a "write
> password = xxx" statement into your config file, it was still possible to
> download the config file with a special hand-written URL, and decode the
> write password, which is usually only base-64 encoded unless you haven't
> compiled elog with the -DHAVE_CRYPT flag.

FYI, Debian package has already been compiled with this flag.

 -- Recai Oktas, Maintainer of Debian package
ELOG V3.1.5-fe60aaf