-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have audited the Jifty::DBI code and have found several weaknesses. We recommend that sites with Jifty deployments upgrade its Jifty::DBI to 0.68.
Jifty::DBI versions up to and including 0.67 have SQL injection weaknesses that could cause applications to have vulnerabilities, depending on how they pass user-provided data into Jifty::DBI method calls. We do not believe attacks to be capable of directly inserting, altering or removing data from the database, but a user could possibly use them to retrieve unauthorized data. Be sure to run your application's test suite against Jifty::DBI 0.68, because Jifty::DBI now rejects some previously-accepted abuses of method parameters. For example, if your application passes a function call in the "column" parameter of the limit() method, you must change this to use the "function" parameter instead. You can get Jifty::DBI 0.68 from a CPAN mirror near you, using your ordinary CPAN client or by downloading the following tarball: http://search.cpan.org/CPAN/authors/id/S/SA/SARTAK/Jifty-DBI-0.68.tar.gz 4f2d2c10f225a8e10afc04fb2745e99bd3dd5d4b Jifty-DBI-0.68.tar.gz Shawn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iEYEARECAAYFAk2oWFIACgkQsxfQtHhyRPqxgwCfdkwoRx1PMy3N4FOQQpqY8UBv Mi0AmwbodoroanPnpyr30AvqrN1J1rjC =15G6 -----END PGP SIGNATURE----- _______________________________________________ jifty-devel mailing list jifty-devel@lists.jifty.org http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-devel
