Bug#230875: marked as done (libpam-pgsql: Some notes about pam_pgsql security)

Mon, 09 May 2005 05:09:33 -0700 

Your message dated Mon, 09 May 2005 07:32:18 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#230875: fixed in pam-pgsql 0.5.2-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Feb 2004 03:01:13 +0000
>From [EMAIL PROTECTED] Mon Feb 02 19:01:13 2004
Return-path: <[EMAIL PROTECTED]>
Received: from master.debian.org [146.82.138.7] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1AnqoL-0000RW-00; Mon, 02 Feb 2004 19:01:13 -0800
Received: from bsn-77-233-170.dsl.siol.net ([192.168.50.1]) [193.77.233.170] 
        by master.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1AnqoK-0001Pe-00; Mon, 02 Feb 2004 21:01:12 -0600
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Primoz Bratanic <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libpam-pgsql: Some notes about pam_pgsql security
X-Mailer: reportbug 2.41
Date: Tue, 03 Feb 2004 04:01:11 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_01 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.4 required=4.0 tests=HAS_PACKAGE,OUR_MTA_MSGID,
        UPPERCASE_25_50,X_DEBBUGS_CC autolearn=no 
        version=2.60-bugs.debian.org_2004_02_01
X-Spam-Level: 

Package: libpam-pgsql
Version: 0.5.2-7
Severity: grave
Tags: security sid
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Since shipping with postgresql 7.4 it should probably make use of
PQescapeString function. 

Package does not escape anything sent to database except username. It should
probably escape everything. Otherwise strange things may happen due to
errors in configuration files. 

IMPORTANT:

NEW PASSWORDS ARE NOT ESCAPED. CONFIGURATION ALLOWS HAVING PLAINTEXT
PASSWORDS. USING PLAINTEXT PASSWORDS ALLOW INJECTION OF ARBITRARY STRING 
INTO UPDATE SQL TO ANY USER CHANGING HIS/HER PASSWORD. 


- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.0-1-686
Locale: LANG=C, LC_CTYPE=sl_SI.UTF-8

Versions of packages libpam-pgsql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  libmhash2                   0.8.18-4     Library for cryptographic hashing 
ii  libpam0g                    0.76-15      Pluggable Authentication Modules l
ii  libpq3                      7.4.1-2      Shared library libpq.so.3 for Post

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAHw73HOuqnSwJthERAnPIAKDhcfT2jV9SKmQRVjknUi5Qlv3KrACfSVqD
V6jaxxc3+VeblveWLKNi8Us=
=t4sT
-----END PGP SIGNATURE-----

---------------------------------------
Received: (at 230875-close) by bugs.debian.org; 9 May 2005 11:46:56 +0000
>From [EMAIL PROTECTED] Mon May 09 04:46:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DV6iu-0004E4-00; Mon, 09 May 2005 04:46:56 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
        id 1DV6Uk-0004lU-00; Mon, 09 May 2005 07:32:18 -0400
From: Primoz Bratanic <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#230875: fixed in pam-pgsql 0.5.2-9
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 09 May 2005 07:32:18 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 11

Source: pam-pgsql
Source-Version: 0.5.2-9

We believe that the bug you reported is fixed in the latest version of
pam-pgsql, which is due to be installed in the Debian FTP archive:

libpam-pgsql_0.5.2-9_i386.deb
  to pool/main/p/pam-pgsql/libpam-pgsql_0.5.2-9_i386.deb
pam-pgsql_0.5.2-9.diff.gz
  to pool/main/p/pam-pgsql/pam-pgsql_0.5.2-9.diff.gz
pam-pgsql_0.5.2-9.dsc
  to pool/main/p/pam-pgsql/pam-pgsql_0.5.2-9.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Primoz Bratanic <[EMAIL PROTECTED]> (supplier of updated pam-pgsql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 8 May 2005 23:10:16 +0200
Source: pam-pgsql
Binary: libpam-pgsql
Architecture: source i386
Version: 0.5.2-9
Distribution: unstable
Urgency: low
Maintainer: Primoz Bratanic <[EMAIL PROTECTED]>
Changed-By: Primoz Bratanic <[EMAIL PROTECTED]>
Description: 
 libpam-pgsql - PAM module to authenticate using a PostgreSQL database
Closes: 130496 139473 142889 204181 204439 218291 230875 236484 240823 247536 
280774 281703 303198 307366 307784
Changes: 
 pam-pgsql (0.5.2-9) unstable; urgency=low
 .
   * Reapplied security patches (Closes: #230875,#307784)
   * Boolean values works with boolean type as well (Closes: #130496)
   * Documentation typo (Closes: #218291)
   * Reapplied other NMU patches (Closes: #307366)
   * Allow port specification (Closes: #247536)
   * Reapplied "Stack-Friendly patch" (Closes: #139473)
   * Deleted wrong README.Debian (Closes: #204181)
   * Documented host and port options (Closes: #204439)
   * Reapplied patch to allow different config files (Closes: #236484)
   * Reapplied patch to support another MD5 type passwords (Closes: #142889)
   * Change "must change password" field (if any) to false after changing 
password
   * Deleted build-all from root (Closes: #240823)
   * Fixed few memory leaks (Closes: #280774)
   * Added timeout option for database connects (Closes: #281703)
   * Use debian/compat instead of DH_COMPAT
   * drop DH_COMPAT and DH_VERBOSE exports from debian/rules
   * don't ask root for password whan changing password
   * New Maintainer (Closes: #303198)
   * Fixed PAM stack to behave exactly as expected with use_authtok
   * Fixed a lot of memory leaks introduced by security patches
   * Fixed a lot of memory leaks arround returning error early
Files: 
 074fc0709067f077f6972e980ed6a464 620 admin extra pam-pgsql_0.5.2-9.dsc
 f667f5b2dc4689d4b5abe58adea10428 71833 admin extra pam-pgsql_0.5.2-9.diff.gz
 41fbf6743108146098868d82abb79b86 15394 admin extra 
libpam-pgsql_0.5.2-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCf0ZA97LBwbNFvdMRAjxdAJ4mx2lgQnszA30FmjovGtEx460gyQCfYwAB
mymZOzojT/MstkqwUrKX/K8=
=dJ7/
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to