[ MDVSA-2008:193 ] kolab-server

Mandrivan turvallisuustiedotteiden tuoreimmat
Viestiketju on lukittu

[ MDVSA-2008:193 ] kolab-server

Uusi viestiKirjoittaja dude67 » 14 Syys 2008, 09:11

kolab-server

Gavin McCullagh of Griffith College Dublin reported an issue in Kolab
v1 where user passwords were being recorded in the Apache log files
due to Kolab using HTTP GET requests rather than HTTP POST requests.
This would allow any users with access to the Apache log files to
harvest user passwords and possibly other sensitive data.

The patch to fix this problem also corrects and issue where
non-alphanumeric characters in passwords, set via the Kolab web
interface, did not work.

The updated packages have been patched to prevent these issues.
Many thanks to Gavin McCullagh for his help in writing the patch and
testing the fix.

As well, to scrub existing log files to remove existing stored
passwords, the following sed command can be used:

sed -i
's/\(&password_0=\).*\(&password_1=\).*\(&mail_0\)/\1xxxxxxxx\2xxxxxxxx\3/'
/var/log/httpd/ssl_access_log*
_______________________________________________________________________

References:

https://qa.mandriva.com/43434
_______________________________________________________________________
Kuva
1. Mageia-1 KDE4 x86_64 (& Win7 Pro) | desktop
2. Mageia-2 KDE4 (& Win7 Home Premium) | laptop Acer 7530
3. Mageia-1 KDE4 (& Win7 Starter) | Samsung NC-10 miniläppäri
4. Mageia-1 KDE4 | serverinä toimiva desktop
Luotettavaa Linux käyttöä jo Mandriva 2006.0:sta lähtien :)
Avatar
dude67
Site Admin
 
Viestit: 2256
Liittynyt: 27 Syys 2007, 16:58
Paikkakunta: Espoo
Ylös
Viestiketju on lukittu

Paluu Mandrivan turvallisuustiedotteet

Paikallaolijat

Käyttäjiä lukemassa tätä aluetta: Ei rekisteröityneitä käyttäjiä ja 26 vierailijaa

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Käännös, Lurttinen, www.phpbbsuomi.com
cron