Your message dated Wed, 24 Mar 2010 20:24:58 +0000 (WET)
with message-id <[email protected]>
and subject line Package nagios has been removed from Debian
has caused the Debian Bug report #369362,
regarding nagios: Insecure quote escaping in PostgreSQL backend
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
369362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369362
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nagios
Severity: important
Version: 2:1.4-1
Tags: security
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack. This has been assigned CVE-2006-2314.
The various xdata/xr*.c modules currently use \' to escape quotes, which makes
it vulnerable against this attack with earlier PostgreSQL versions, and will
break with the current one (since it disables this method of quote escaping by
default in affected client encodings). The database query quoting should be
changed to use '' instead of \', but a better fix is to completely replace
custom quoting with an invocation of PQescapeString() from libpq.
Please be aware that this also affects other database backends in principle
(unless they do not support the affected encodings). Also, '' is the SQL
standard escape for ', not \'.
Please also pass this to upstream.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 2:1.4-3.2+rm
You filed the bug http://bugs.debian.org/369362 in Debian BTS
against the package nagios. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/464774. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
