Package: psycopg Version: 1.1.21-3 Severity: important Tags: security, patch
Hi! Recently, a security hole has been discovered in PostgreSQL client applications, see http://www.postgresql.org/docs/techdocs.50 for details. In short, using \' for quote escaping is insecure and now not allowed any more in some encodings which are prone to this SQL injection attack. Quotes in normal strings are already correctly escaped as '', but the psycopg.Binary() function still uses \'. This patch fixes that: http://patches.ubuntu.com/patches/psycopg.CVE-2006-2314.diff Please see the Ubuntu bug https://launchpad.net/bugs/46473 for some more details (including a small test program). Please mention the CVE number in the changelog when you fix this. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
