Debian Security Advisory DSA 1239-1 (sql-ledger)

The remote host is missing an update to sql-ledger announced via advisory DSA 1239-1. Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4244 Chris Travers discovered that the session management can be tricked into hijacking existing sessions. CVE-2006-4731 Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code. CVE-2006-5872 It was discovered that missing input sanitising allows execution of arbitrary Perl code.

For the stable distribution (sarge) these problems have been fixed in version 2.4.7-2sarge1. For the upcoming stable distribution (etch) these problems have been fixed in version 2.6.21-1. For the unstable distribution (sid) these problems have been fixed in version 2.6.21-1. We recommend that you upgrade your sql-ledger packages. https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201239-1