Package: postfix Severity: important Version: 2.2.10-1 Tags: security Hi!
Recently, a security hole has been discovered in PostgreSQL client applications, see http://www.postgresql.org/docs/techdocs.50 for details. In short, using \' for quote escaping is insecure and now not allowed any more in some encodings which are prone to this SQL injection attack. This has been assigned CVE-2006-2314. src/global/dict_pgsql.c, dict_pgsql_quote() currently uses \' to escape quoting, which makes it vulnerable against this attack with earlier PostgreSQL versions, and will break with the current one (since it disables this method of quote escaping by default in affected client encodings). A quick fix is to change the function to use '' instead of \', but a better fix is to completely replace the loop with an invocation of PQescapeString() from libpq (as already noted in the XXX comment above it). Please also pass this to upstream. -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
