'Re: [oss-security] CVE Request: courier-authlib < 0.62.0 SQL Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: courier-authlib < 0.62.0 SQL Injection
From:       Steffen Joeris <steffen.joeris () skolelinux ! de>
Date:       2009-03-11 1:04:21
Message-ID: 200903111204.26800.steffen.joeris () skolelinux ! de
[Download RAW message or body]

Hi Pierre-Yves

> From Changelog:
>
> "0.62.0
> 2008-12-17  Sam Varshavchik  <mrsam@courier-mta.com>
>
> * authpgsqllib.c: Use PQescapeStringConn() instead of removing all
>  apostrophes from query parameters. This fixes a potential SQL injection
>  vulnerability if the Postgres database uses a non-Latin locale."
>
> References:
> http://www.courier-mta.org/authlib/changelog.html
> http://bugs.gentoo.org/show_bug.cgi?id=252576
This should be CVE-2008-2380.

Cheers
Steffen

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic