Package: pygresql Version: 1:3.7-1 Severity: important Tags: security, patch
Hi! Recently, a security hole has been discovered in PostgreSQL client applications, see http://www.postgresql.org/docs/techdocs.50 for details. In short, using \' for quote escaping is insecure and now not allowed any more in some encodings which are prone to this SQL injection attack. Quotes in the pgdb wrapper are already correctly escaped as '', but some functions in the classic pg module still use \'. This patch fixes that: http://patches.ubuntu.com/patches/pygresql.CVE-2006-2314.diff Please mention the CVE number in the changelog when you fix this. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
