Re: packages that use deprecated SQL escape functions
Hi Steffen, Steffen Joeris wrote: Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss team maintained packages. Thanks, Emilio signature.asc Description: OpenPGP digital signature
Re: packages that use deprecated SQL escape functions
Hi Dne Thu, 15 Oct 2009 13:26:14 +1100 Steffen Joeris steffen.joe...@skolelinux.de napsal(a): gammu: Michal Čihař ni...@debian.org ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer4, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); PQescapeString is used only if PQescapeStringConn is not available in compile time, what was AFAIK the case in some older PostgreSQL versions. -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Re: packages that use deprecated SQL escape functions - dd-list
On Thu, Oct 15, 2009 at 10:27:57AM +0200, Emilio Pozuelo Monfort wrote: Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss team maintained packages. Please find below the result of: $ egrep '^\w+:' body.txt | grep -v NOTE | cut -f 1 -d: | dd-list --stdin dd-list.txt where body.txt is the body of Steffen's mail. I just added Myon by hand because libyada is only in stable and on my sid machine dd-list didn't find it. Cheers. Carlos Eduardo Sotelo Pinto (krlos) krlos@gmail.com sitebar Marcelo Jorge Vieira (metal) me...@alucinados.com scuttle Micah Anderson mi...@debian.org dsyslog (U) Leopold Palomo Avellaneda l...@alaxarxa.net bulmages (U) Christian Bayle ba...@debian.org cvsnt (U) Romain Beauxis to...@rastageeks.org mediawiki (U) Edelhard Becker edelh...@debian.org zoph Dave Beckett daj...@debian.org redland Luciano Bello luci...@debian.org nepenthes Marcus Better mar...@better.se ser (U) Darren Blaber dmbt...@gmail.com dsyslog (U) Matt Brown ma...@debian.org phpwiki Ross Burton r...@debian.org onak (U) Luca Capello l...@pca.it clisp (U) Nuno Carvalho mestre.sm...@gmail.com parrot (U) Thadeu Lima de Souza Cascardo casca...@minaslivre.org jabberd2 (U) Pierre Chifflier pol...@debian.org libpreludedb (U) ulogd (U) wzdftpd Debian BOINC Maintainers pkg-boinc-de...@lists.alioth.debian.org boinc Debian Common Lisp Team pkg-common-lisp-de...@lists.alioth.debian.org clisp Debian GNOME Maintainers pkg-gnome-maintain...@lists.alioth.debian.org libgda3 Debian Parrot Maintainers pkg-parrot-de...@lists.alioth.debian.org parrot Debian VoIP Team pkg-voip-maintain...@lists.alioth.debian.org gnugk ser Debian XMPP Maintainers pkg-xmpp-de...@lists.alioth.debian.org jabberd2 WebCalendar Debian package development rafael-webcalen...@debian.org webcalendar Peter Eisentraut pet...@debian.org pgpool2 Raphael Enrici black...@club-internet.fr pgadmin3 Peter Van Eynde pvane...@debian.org clisp (U) Gerfried Fuchs rho...@debian.at pgadmin3 (U) spl David Moreno Garza da...@debian.org phpwiki (U) Thomas Goirand tho...@goirand.fr dtc Stephen Gran sg...@debian.org freeradius Debian QA Group packa...@qa.debian.org mnogosearch pgtcl prokyon3 sqlrelay Pascal Hakim p...@debian.org snort (U) Peter Howard p...@northern-ridge.com.au zoneminder Mark Hymers m...@debian.org freeradius (U) Matthias Klose d...@debian.org pygresql Achilleas Kotsis achi...@kotsis.net ulogd Kilian Krause kil...@debian.org gnugk (U) ser (U) Elizabeth Krumbach l...@princessleia.com webcalendar (U) Rafael Laboissiere raf...@debian.org webcalendar (U) Carlos Laviola clavi...@debian.org fpc Penny Leach pe...@mjollnir.org moodle (U) Faidon Liambotis parav...@debian.org gnugk (U) Xavier Luthi xav...@caroxav.be b2evolution pixelpost Francois Marier franc...@debian.org moodle (U) Christoph Martin christoph.mar...@uni-mainz.de boinc (U) TSUCHIYA Masatoshi tsuch...@namazu.org texfam Rene Mayorga rmayo...@debian.org boinc (U) Jonathan McDowell nood...@earth.li onak Mediawiki Maintenance Team pkg-mediawiki-de...@lists.alioth.debian.org mediawiki Martin Meredith m...@debian.org symfony Patrick Michaud pmich...@pobox.com parrot (U) Miguel Gea Milvaques xera...@debian.org bulmages (U) Loic Minier l...@dooz.org libgda3 (U) Steffen Moeller steffen_moel...@gmx.de boinc (U) Emilio Pozuelo Monfort po...@debian.org libgda3 (U) René Mérou ochominutosdea...@gmail.com bulmages Mazen Neifer ma...@freepascal.org fpc (U) Javier Fernandez-Sanguino Pen~a j...@debian.org snort Mathieu Petit-Clair m...@moodle.com moodle (U) William Pitcock neno...@dereferenced.org dsyslog Dan Poltawski talkto...@gmail.com moodle (U) Mickael Profeta prof...@debian.org libpreludedb Mark Purcell m...@debian.org gnugk (U) ser (U) Allison Randal alli...@parrot.org parrot (U) Tomeu Borràs Riera tbor...@conetxcia.com bulmages (U) Jorge Salamero Sanz ben...@debian.org jabberd2 (U) Jens Peter Secher j...@debian.org neko Charlie Smotherman cj...@cableone.net ampache Jörg Sommer jo...@alea.gnuu.de xindy Radu Spineanu r...@debian.org pvpgn Uwe Steinmann ste...@debian.org netmrg Moodle Packaging Team moodle-packag...@catalyst.net.nz moodle Fabio Tranchitella kob...@debian.org psycopg2 Andreas Tscharner a...@vis.ethz.ch cvsnt Torsten Werner twer...@debian.org fpc (U) Michal Čihař ni...@debian.org gammu rpm2html Christoph Berg m...@debian.org libyada -- Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7 z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/ Dietro un grande uomo c'è ..| . |. Et ne
Re: packages that use deprecated SQL escape functions
Hi Steffen, In future checks it would be easier and more accurate to look for the deprecated functions on the binary packages, because not all of the packages ship/use all of the files they include in the source package. FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. And applications using pgsql don't need any change as the pgsql extension uses PQescapeStringConn if available at compile time and if there's an active connection. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. -- \ “Never use a long word when there's a commensurate diminutive | `\available.” —Stan Kelly-Bootle | _o__) | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
2009-10-16, Ben Finney: Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Saludos, Mauro -- JID: lavaram...@jabber.org | http://lizaur.github.com/ 2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Mauro Lizaur deb...@cacavoladora.org writes: According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Thank you for the prompt answer. -- \ “We spend the first twelve months of our children's lives | `\ teaching them to walk and talk and the next twelve years | _o__) telling them to sit down and shut up.” —Phyllis Diller | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Have a nice day, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Hi Charles On Thu, 15 Oct 2009 01:50:35 pm Charles Plessy wrote: Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Before I sent the list, I checked some of the major packages together with the maintainers, so there was some work that happened in the background before publication. Also, I don't expect many of the packages below to be vulnerable, because not every applications allows the setting of the client encoding. Also, I've released a few DSAs to update common bindings in different languages that only offered the deprecated functions. At this stage, it is better to publish this list and ask the maintainers for help, because we don't have the manpower to check them all individually and test them. Cheers Steffen signature.asc Description: This is a digitally signed message part.