[interchange-cvs] interchange - racke modified 2 files
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Mon Mar 29 06:34:29 EST 2004
User: racke
Date: 2004-03-29 11:34:28 GMT
Modified: . Tag: STABLE_4_8-branch WHATSNEW
Modified: debian Tag: STABLE_4_8-branch changelog
Log:
new upstream release
Revision Changes Path
No revision
No revision
2.6.2.92 +17 -1 interchange/WHATSNEW
rev 2.6.2.92, prev_rev 2.6.2.91
Index: WHATSNEW
===================================================================
RCS file: /anon_cvs/repository/interchange/WHATSNEW,v
retrieving revision 2.6.2.91
retrieving revision 2.6.2.92
diff -u -r2.6.2.91 -r2.6.2.92
--- WHATSNEW 16 Dec 2003 15:01:01 -0000 2.6.2.91
+++ WHATSNEW 29 Mar 2004 11:34:26 -0000 2.6.2.92
@@ -5,9 +5,25 @@
------------------------------------------------------------------------------
-Interchange 4.8.8 released 2003-12-16.
+Interchange 4.8.8 released 2004-03-29.
+
+Security
+--------
+
+* Plug a security hole which allows an attacker to expose arbitrary variable
+ contents by using an URL like
+ http://shop.example.com/cgi-bin/store/__SQLUSER__.
+
+ All Interchange applications using the standard "missing" special page
+ from the demo catalog or a similar one are vulnerable to this attack.
+ The attacker may learn the SQL access information for your Interchange
+ application and use this information to read and manipulate sensitive
+ data.
* Fix security hole with possible SQL injection.
+
+Miscellaneous
+-------------
* Fix order import problem found by Karen Gold.
No revision
No revision
2.10.2.38 +6 -0 interchange/debian/changelog
rev 2.10.2.38, prev_rev 2.10.2.37
Index: changelog
===================================================================
RCS file: /anon_cvs/repository/interchange/debian/changelog,v
retrieving revision 2.10.2.37
retrieving revision 2.10.2.38
diff -u -r2.10.2.37 -r2.10.2.38
--- changelog 22 Jan 2003 10:00:03 -0000 2.10.2.37
+++ changelog 29 Mar 2004 11:34:27 -0000 2.10.2.38
@@ -1,3 +1,9 @@
+interchange (4.8.8-1) unstable; urgency=high
+
+ * new upstream release (Closes: #240800, upstream fix for security hole)
+
+ -- Stefan Hornburg (Racke) <racke at linuxia.de> Mon, 29 Mar 2004 12:57:52 +0200
+
interchange (4.8.7-1) unstable; urgency=low
* new upstream release
More information about the interchange-cvs
mailing list