elog - several

Several security problems have been found in elog, an electronic logbook
to manage notes. The Common Vulnerabilities and Exposures Project
identifies the following problems:

• CVE-2005-4439
  “GroundZero Security” discovered that elog insufficiently checks the
  size of a buffer used for processing URL parameters, which might lead
  to the execution of arbitrary code.
• CVE-2006-0347
  It was discovered that elog contains a directory traversal vulnerability
  in the processing of “…/” sequences in URLs, which might lead to
  information disclosure.
• CVE-2006-0348
  The code to write the log file contained a format string vulnerability,
  which might lead to the execution of arbitrary code.
• CVE-2006-0597
  Overly long revision attributes might trigger a crash due to a buffer
  overflow.
• CVE-2006-0598
  The code to write the log file does not enforce bounds checks properly,
  which might lead to the execution of arbitrary code.
• CVE-2006-0599
  elog emitted different errors messages for invalid passwords and invalid
  users, which allows an attacker to probe for valid user names.
• CVE-2006-0600
  An attacker could be driven into infinite redirection with a crafted
  “fail” request, which has denial of service potential.

The old stable distribution (woody) does not contain elog packages.

For the stable distribution (sarge) these problems have been fixed in
version 2.5.7+r1558-4+sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 2.6.1+r1642-1.

We recommend that you upgrade your elog package.