Menu

#513 Debian fix for vulnerability CVE-2006-2247

open
nobody
None
5
2013-01-14
2007-09-11
No

The patch below is applied to the Debian package for WebCalendar in order to fix the vulnerability CVE-2006-2247: "WebCalendar generates different error messages depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames."

Please consider applying it for the next release

Rafael Laboissiere

Discussion

  • Anonymous

    Anonymous - 2007-09-11

    Patch for fixing CVE-2006-2247

     
    03_login_lean.dpatch

  • Anonymous

    Anonymous - 2007-09-14

    Logged In: YES
    user_id=24666
    Originator: YES

    I forgot to say that the attached patch applies cleanly to 1.1.5.

     

  • Craig Knudsen

    Craig Knudsen - 2007-09-17

    Logged In: YES
    user_id=14386
    Originator: NO

    Rafael,

    The patch does not take advantage of the $silent option, which will be used in production systems. I'd like to keep the option of turning on the informative messages (for development systems) since we get a _lot_ of help requests for users not being able to login.

     

Log in to post a comment.