Your message dated Wed, 30 Aug 2006 23:05:34 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369250: fixed in python-pgsql 2.4.0-5sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: python-pgsql
Version: 2.4.0-7
Severity: important
Tags: security, patch
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack.
Quotes in python-pgsql are escaped with \'. This patch fixes that to
use '':
http://patches.ubuntu.com/patches/python-pgsql.CVE-2006-2314.diff
Please mention the CVE number in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: python-pgsql
Source-Version: 2.4.0-5sarge1
We believe that the bug you reported is fixed in the latest version of
python-pgsql, which is due to be installed in the Debian FTP archive:
python-pgsql_2.4.0-5sarge1.diff.gz
to pool/main/p/python-pgsql/python-pgsql_2.4.0-5sarge1.diff.gz
python-pgsql_2.4.0-5sarge1.dsc
to pool/main/p/python-pgsql/python-pgsql_2.4.0-5sarge1.dsc
python-pgsql_2.4.0-5sarge1_all.deb
to pool/main/p/python-pgsql/python-pgsql_2.4.0-5sarge1_all.deb
python2.1-pgsql_2.4.0-5sarge1_i386.deb
to pool/main/p/python-pgsql/python2.1-pgsql_2.4.0-5sarge1_i386.deb
python2.2-pgsql_2.4.0-5sarge1_i386.deb
to pool/main/p/python-pgsql/python2.2-pgsql_2.4.0-5sarge1_i386.deb
python2.3-pgsql_2.4.0-5sarge1_i386.deb
to pool/main/p/python-pgsql/python2.3-pgsql_2.4.0-5sarge1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Burton <[EMAIL PROTECTED]> (supplier of updated python-pgsql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 3 Jun 2006 01:27:11 +1000
Source: python-pgsql
Binary: python-pgsql python2.1-pgsql python2.3-pgsql python2.2-pgsql
Architecture: source all i386
Version: 2.4.0-5sarge1
Distribution: stable
Urgency: high
Maintainer: Ben Burton <[EMAIL PROTECTED]>
Changed-By: Ben Burton <[EMAIL PROTECTED]>
Description:
python-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
python2.1-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
python2.2-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
python2.3-pgsql - A Python DB-API 2.0 interface to PostgreSQL v7.x
Closes: 369250
Changes:
python-pgsql (2.4.0-5sarge1) stable; urgency=high
.
* In routines PgQuoteString() and PgQuoteBytea(), quotes are now escaped
as '', not as \' (closes: #369250). In some multi-byte encodings you
can exploit \' escaping to inject SQL code, and so \' no longer works
for such client encodings with newer PostgreSQL servers. Thanks to
Martin Pitt for the patch.
* Reference: CVE-2006-2314.
Files:
e1898a53d17f3a2ad684001ce70de7eb 716 python optional
python-pgsql_2.4.0-5sarge1.dsc
07f605fc42cdb148d471d78bc4039fd5 11820 python optional
python-pgsql_2.4.0-5sarge1.diff.gz
ca6480ec9a67920140dad29884772982 17512 python optional
python-pgsql_2.4.0-5sarge1_all.deb
9736ea007546132ebba104739c911a8d 142396 python optional
python2.1-pgsql_2.4.0-5sarge1_i386.deb
5c0d4b626a7f6640cfe30a6456c5d557 144704 python optional
python2.2-pgsql_2.4.0-5sarge1_i386.deb
0181fc891ac16ed723189b630aabcac1 144722 python optional
python2.3-pgsql_2.4.0-5sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEhMSMMQNuxza4YcERAiXKAJ9YBOgwXWbEC5zgF5pQ7YfxmzvV+QCcD8Hf
jioszE5XHqLdpBgLJ2IG3hs=
=b2tg
-----END PGP SIGNATURE-----
--- End Message ---
