Your message dated Fri, 02 Jun 2006 08:47:26 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369250: fixed in python-pgsql 2.4.0-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: python-pgsql
Version: 2.4.0-7
Severity: important
Tags: security, patch
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack.
Quotes in python-pgsql are escaped with \'. This patch fixes that to
use '':
http://patches.ubuntu.com/patches/python-pgsql.CVE-2006-2314.diff
Please mention the CVE number in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: python-pgsql
Source-Version: 2.4.0-8
We believe that the bug you reported is fixed in the latest version of
python-pgsql, which is due to be installed in the Debian FTP archive:
python-pgsql_2.4.0-8.diff.gz
to pool/main/p/python-pgsql/python-pgsql_2.4.0-8.diff.gz
python-pgsql_2.4.0-8.dsc
to pool/main/p/python-pgsql/python-pgsql_2.4.0-8.dsc
python-pgsql_2.4.0-8_all.deb
to pool/main/p/python-pgsql/python-pgsql_2.4.0-8_all.deb
python2.3-pgsql_2.4.0-8_i386.deb
to pool/main/p/python-pgsql/python2.3-pgsql_2.4.0-8_i386.deb
python2.4-pgsql_2.4.0-8_i386.deb
to pool/main/p/python-pgsql/python2.4-pgsql_2.4.0-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Burton <[EMAIL PROTECTED]> (supplier of updated python-pgsql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 3 Jun 2006 01:27:11 +1000
Source: python-pgsql
Binary: python-pgsql python2.4-pgsql python2.3-pgsql
Architecture: source all i386
Version: 2.4.0-8
Distribution: unstable
Urgency: high
Maintainer: Ben Burton <[EMAIL PROTECTED]>
Changed-By: Ben Burton <[EMAIL PROTECTED]>
Description:
python-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
python2.3-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
python2.4-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
Closes: 369250
Changes:
python-pgsql (2.4.0-8) unstable; urgency=high
.
* In routines PgQuoteString() and PgQuoteBytea(), quotes are now escaped
as '', not as \' (closes: #369250). In some multi-byte encodings you
can exploit \' escaping to inject SQL code, and so \' no longer works
for such client encodings with newer PostgreSQL servers. Thanks to
Martin Pitt for the patch.
* Reference: CVE-2006-2314.
Files:
534b72623a49e7f030cc803d1ed994ce 670 python optional python-pgsql_2.4.0-8.dsc
7922ffba11e99fb3b08113048275a363 14055 python optional
python-pgsql_2.4.0-8.diff.gz
5b8bce414243db6666467a94cb63fdfc 17858 python optional
python-pgsql_2.4.0-8_all.deb
4fa58b6e5df0c76f1beb98aea9a97eaf 144786 python optional
python2.3-pgsql_2.4.0-8_i386.deb
0ea9ef3a5ade7b868f8cdd0468180dbf 144168 python optional
python2.4-pgsql_2.4.0-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEgFlSMQNuxza4YcERAhUpAJ9nlpXP52U5AAoORtJHmogyFZatzACgn5Zc
jaiOymx3OHknQb7UrGwrtQY=
=iRVK
-----END PGP SIGNATURE-----
--- End Message ---
