lp:ubuntu/gutsy/elog
- Get this branch:
- bzr branch lp:ubuntu/gutsy/elog
Branch information
- Owner:
- Ubuntu branches
- Status:
- Development
Recent revisions
- 7. By Recai Oktas
-
* New upstream release grabbed from Subversion (r1754), includes
fixes for a bunch of security issues[1]:
+ Fixes from Ulf Harnhammar (Debian Security Audit Project):
- There are some incorrect handling of *printf() calls and format
strings. They lead to ELOG crashing completely, with the potential
of executing arbitrary machine code programs, when a user uploads
and submits as the first attachment in an entry a file called
"%n%n%n%n" - or similar - which must not be empty.
- There is a Cross-site Scripting issue when requesting correctly
named but non-existant files for downloading.
- There are also Cross-site Scripting issues when creating new
entries with New. If a document sends data to ELOG where the fields
Type and Category contain invalid entries with HTML code, the
resulting error document will print the Type or Category data as-is
with no quoting.
+ Fixes from OS2A team (credits go to Jayesh KS and Arun Kethipelly):
- Remote exploitation of a denial of service vulnerability in ELOG's
elogd server allows attackers to crash the service, thereby
preventing legitimate access. (Closes: #397875)
[1] Leaving #392016 open for the reasons stated in that report. - 6. By Recai Oktas
-
* Urgency set to critical because of the security issues.
* New upstream release grabbed from Subversion (r1719).
+ Fix an XSS vulnerability, which occurs when editing a log entry
in HTML mode. (Closes: #389361) - 5. By Recai Oktas
-
* New upstream release grabbed from Subversion (r1642).
+ Really fix the security issue CVE-2005-4439.
* Sigh! Previous upload has some flaws:
+ Install elcode.js and other resoure files. ElCode editor buttons
should work now (thanks David Prince).
+ debian/update: Modify it to catch such sort of errors.
+ Really remove debian/watch.
+ Fix the pbuilder DEBEMAIL field which made the previous upload appear
as an NMU.
* Add a Debian spesific note about the usage of password files in Elog.
* Urgency set to critical for security fix. - 4. By Recai Oktaş
-
* New upstream beta release with the latest changes from CVS (r1.1716).
+ Features a simple markup called ELCode, a special set of tags to
format an ELOG entry. The ELCode tags are similar to the BBCode
tags (phpBB), sometimes also referred as vB code.
* Add Turkish ELOG translation.
* Apply a patch to suppress GCC4-related signedness warnings.
* debian/control:
+ Bump Standarts-Version to 3.6.2.
+ Rewrite description; needs a proof-read by a native English speaker.
* debian/copyright: Clarify the copyright.
* debian/rules:
+ Switch to dephelper compat 4.
+ Get rid of multiple dh_installs by using an '.install' file.
+ Remove the redundant INSTALL_PROGRAM logic.[These issues were pointed out by Marc 'HE' Brockschmidt; thanks Marc!]
- 3. By Recai Oktaş
-
* Latest upstream from CVS (r1.674).
+ Includes the fix for a buffer overflow: r1.648.
+ See CVS logs for all changes:
http://midas.psi. ch/cgi- bin/cvsweb/ elog/src/ elogd.c
* Urgency set to high because of the security issue.
* Remove redundant debian/dirs file. - 2. By Recai Oktaş
-
* Latest upstream from CVS (r1.526). (Closes: #285832, #285834)
* Update elogd(8) and elog(1) for the new options.
* Minor doc fix for elogd.c.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)