[interchange-cvs] interchange - racke modified 2 files

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Mon Mar 29 06:34:29 EST 2004


User:      racke
Date:      2004-03-29 11:34:28 GMT
Modified:  .        Tag: STABLE_4_8-branch WHATSNEW
Modified:  debian   Tag: STABLE_4_8-branch changelog
Log:
new upstream release

Revision  Changes    Path
No                   revision



No                   revision



2.6.2.92  +17 -1     interchange/WHATSNEW


rev 2.6.2.92, prev_rev 2.6.2.91
Index: WHATSNEW
===================================================================
RCS file: /anon_cvs/repository/interchange/WHATSNEW,v
retrieving revision 2.6.2.91
retrieving revision 2.6.2.92
diff -u -r2.6.2.91 -r2.6.2.92
--- WHATSNEW	16 Dec 2003 15:01:01 -0000	2.6.2.91
+++ WHATSNEW	29 Mar 2004 11:34:26 -0000	2.6.2.92
@@ -5,9 +5,25 @@
 ------------------------------------------------------------------------------
 
 
-Interchange 4.8.8 released 2003-12-16.
+Interchange 4.8.8 released 2004-03-29.
+
+Security
+--------
+
+* Plug a security hole which allows an attacker to expose arbitrary variable 
+  contents by using an URL like 
+  http://shop.example.com/cgi-bin/store/__SQLUSER__. 
+
+  All Interchange applications using the standard "missing" special page
+  from the demo catalog or a similar one are vulnerable to this attack.
+  The attacker may learn the SQL access information for your Interchange
+  application and use this information to read and manipulate sensitive
+  data.
 
 * Fix security hole with possible SQL injection.
+
+Miscellaneous
+-------------
 
 * Fix order import problem found by Karen Gold.
 



No                   revision



No                   revision



2.10.2.38 +6 -0      interchange/debian/changelog


rev 2.10.2.38, prev_rev 2.10.2.37
Index: changelog
===================================================================
RCS file: /anon_cvs/repository/interchange/debian/changelog,v
retrieving revision 2.10.2.37
retrieving revision 2.10.2.38
diff -u -r2.10.2.37 -r2.10.2.38
--- changelog	22 Jan 2003 10:00:03 -0000	2.10.2.37
+++ changelog	29 Mar 2004 11:34:27 -0000	2.10.2.38
@@ -1,3 +1,9 @@
+interchange (4.8.8-1) unstable; urgency=high
+
+  * new upstream release (Closes: #240800, upstream fix for security hole)
+
+ -- Stefan Hornburg (Racke) <racke at linuxia.de>  Mon, 29 Mar 2004 12:57:52 +0200
+
 interchange (4.8.7-1) unstable; urgency=low
 
   * new upstream release








More information about the interchange-cvs mailing list