Hi, Attached is the NMU patch.
Cheers, Steffen
diff -u libapache2-mod-authnz-external-3.2.4/debian/changelog libapache2-mod-authnz-external-3.2.4/debian/changelog --- libapache2-mod-authnz-external-3.2.4/debian/changelog +++ libapache2-mod-authnz-external-3.2.4/debian/changelog @@ -1,3 +1,11 @@ +libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix SQL injection via the $user paramter (Closes: #633637) + Fixes: CVE-2011-2688 + + -- Steffen Joeris <wh...@debian.org> Mon, 18 Jul 2011 10:26:11 +1000 + libapache2-mod-authnz-external (3.2.4-2) unstable; urgency=low * libapache2-mod-authnz-external does not install the .load file only in patch2: unchanged: --- libapache2-mod-authnz-external-3.2.4.orig/mysql/mysql-auth.pl +++ libapache2-mod-authnz-external-3.2.4/mysql/mysql-auth.pl @@ -62,7 +62,8 @@ exit 1; } -my $dbq = $dbh->prepare("select username as username, password as password from users where username=\'$user\';"); +my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;"); +$dbq->bind_param(1, $user); $dbq->execute; my $row = $dbq->fetchrow_hashref();
signature.asc
Description: This is a digitally signed message part.