#513 Debian fix for vulnerability CVE-2006-2247

open
nobody
None
5
2013-01-14
2007-09-11
No

The patch below is applied to the Debian package for WebCalendar in order to fix the vulnerability CVE-2006-2247: "WebCalendar generates different error messages depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames."

Please consider applying it for the next release

Rafael Laboissiere

Discussion

  • Patch for fixing CVE-2006-2247

     
    Attachments
  • Logged In: YES
    user_id=24666
    Originator: YES

    I forgot to say that the attached patch applies cleanly to 1.1.5.

     
  • Craig Knudsen
    Craig Knudsen
    2007-09-17

    Logged In: YES
    user_id=14386
    Originator: NO

    Rafael,

    The patch does not take advantage of the $silent option, which will be used in production systems. I'd like to keep the option of turning on the informative messages (for development systems) since we get a _lot_ of help requests for users not being able to login.