Hello, there's a bug with "+etch2" security update of courier-authlib
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509280 but the bug was just corrected by security team, I just receive this apticron's message from my imap server : ------------ The following packages are currently pending an upgrade: courier-authdaemon 0.58-4+etch3 courier-authlib 0.58-4+etch3 courier-authlib-userdb 0.58-4+etch3 Package Details: courier-authlib (0.58-4+etch3) stable-security; urgency=high * Non-maintainer upload by the security team * Fix regression in SQL query, when authenticating with a username and not a mail address Thanks to Micha Lenk for helping me spot this ------------ The bug seems to be in courier-authlib package not courier-authlib-mysql, but i think we could do our apt-get update / upgrade with "no stress" like usually ;-) -- Arnaud > Hi, > > A few time ago I updated courier-authlib with the debian security update > against the SQL injections. > The problem now is that I have a lot of users that log in without a domain in > their login id (I had to keep passwords from an old qmail :'(, and then the > username to log in is not [email protected] but user-and-some-random-things > ...). Before the update, it was working fine, but right now it seems that the > queries looks more like : > > SELECT username, crypt, "", uid, gid, pop, > "", quota, realname, "" FROM users WHERE username = 'remy@' > > The @ does not seem to be leaving. I've been looking quickly in the sources, > and I've seen that the tests are still present in authmysqllib.c, but it does > not looks like to be effective anymore... > And by the way, I did not define any custom select query. > > Can anyone propose something that could solve this problem, or help me to > debug it ? Some quick help would be appreciated, before I'm burned alive by > my > users/client... > > Thanks :) ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
