Your message dated Mon, 29 May 2006 09:32:10 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369349: fixed in postfix 2.2.10-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: postfix
Severity: important
Version: 2.2.10-1
Tags: security
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack. This has been assigned CVE-2006-2314.
src/global/dict_pgsql.c, dict_pgsql_quote() currently uses \' to
escape quoting, which makes it vulnerable against this attack with
earlier PostgreSQL versions, and will break with the current one
(since it disables this method of quote escaping by default in
affected client encodings). A quick fix is to change the function to
use '' instead of \', but a better fix is to completely replace the
loop with an invocation of PQescapeString() from libpq (as already
noted in the XXX comment above it).
Please also pass this to upstream.
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: postfix
Source-Version: 2.2.10-2
We believe that the bug you reported is fixed in the latest version of
postfix, which is due to be installed in the Debian FTP archive:
postfix-dev_2.2.10-2_all.deb
to pool/main/p/postfix/postfix-dev_2.2.10-2_all.deb
postfix-doc_2.2.10-2_all.deb
to pool/main/p/postfix/postfix-doc_2.2.10-2_all.deb
postfix-ldap_2.2.10-2_i386.deb
to pool/main/p/postfix/postfix-ldap_2.2.10-2_i386.deb
postfix-mysql_2.2.10-2_i386.deb
to pool/main/p/postfix/postfix-mysql_2.2.10-2_i386.deb
postfix-pcre_2.2.10-2_i386.deb
to pool/main/p/postfix/postfix-pcre_2.2.10-2_i386.deb
postfix-pgsql_2.2.10-2_i386.deb
to pool/main/p/postfix/postfix-pgsql_2.2.10-2_i386.deb
postfix_2.2.10-2.diff.gz
to pool/main/p/postfix/postfix_2.2.10-2.diff.gz
postfix_2.2.10-2.dsc
to pool/main/p/postfix/postfix_2.2.10-2.dsc
postfix_2.2.10-2_i386.deb
to pool/main/p/postfix/postfix_2.2.10-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <[EMAIL PROTECTED]> (supplier of updated postfix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 29 May 2006 10:03:54 -0600
Source: postfix
Binary: postfix-doc postfix-pgsql postfix-ldap postfix-dev postfix-pcre postfix
postfix-mysql
Architecture: all i386 source
Version: 2.2.10-2
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <[EMAIL PROTECTED]>
Changed-By: LaMont Jones <[EMAIL PROTECTED]>
Description:
postfix - A high-performance mail transport agent
postfix-dev - Postfix loadable modules development environment
postfix-doc - Postfix documentation
postfix-ldap - LDAP map support for Postfix
postfix-mysql - MYSQL map support for Postfix
postfix-pcre - PCRE map support for Postfix
postfix-pgsql - PGSQL map support for Postfix
Closes: 356768 363134 363653 367150 369349
Changes:
postfix (2.2.10-2) unstable; urgency=high
.
* Drop conffiles listed under /etc, since debhelper does that for us now.
Closes: #356768
* Add Portugese translations. Closes: #363134
* Updated Dutch translations. Closes: #363653
* Update russian translations. Closes: #367150
* Fix postgresql escaping function. See CVE-2006-2314. Closes: #369349
Files:
29a42ef8862739bb93f78a86d26db96b 35450 mail extra
postfix-mysql_2.2.10-2_i386.deb
336073a5d315a53a1392270f0e03ff6c 39762 mail extra
postfix-ldap_2.2.10-2_i386.deb
37cfeb5511b0e5c33824aad9d19037b4 665686 doc extra postfix-doc_2.2.10-2_all.deb
55b4d05e412705b5c0aac7a63285a307 144521 mail extra postfix_2.2.10-2.diff.gz
57b92710b4a399c1d0db2789209df42e 35242 mail extra
postfix-pgsql_2.2.10-2_i386.deb
c5df9a1a2aaaf313633da760bafd44ca 873 mail extra postfix_2.2.10-2.dsc
8d92ec5593213bbb29fcf1bdb6049f0b 110844 devel extra
postfix-dev_2.2.10-2_all.deb
da58e1d8d5bafb06b0338e1f3f9dec32 34898 mail extra
postfix-pcre_2.2.10-2_i386.deb
fe4fc6ba38ad88b0029e731ba6d6bf15 948682 mail extra postfix_2.2.10-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEex3IzN/kmwoKyScRAnsQAJ9yjSso8NsRv0QSzeoFwr3c2Cgy+QCePilP
MuqbLSTUpE+2MrfmnQUAzeA=
=xAq3
-----END PGP SIGNATURE-----
--- End Message ---
