Bug#323052: pam-pgsql: FTBFS: libpq-fe.h: No such file or directory
Thank you for your report. I'm waiting for my sponsor to get back from vacation. Then I'll be able to upload version compatible with new directory structure of postgresql libraries in Debian. Regards, Primoz Bratanic On Sun, 2005-08-14 at 14:22 +0200, Andreas Jochens wrote: Package: pam-pgsql Version: 0.5.2-9 Severity: serious When building 'pam-pgsql' on unstable, I get the following error: make[1]: Entering directory `/pam-pgsql-0.5.2' cc -fPIC -DPIC -Wall -D_GNU_SOURCE -I/usr/include-c -o pam_pgsql.o pam_pgsql.c pam_pgsql.c:19:22: error: libpq-fe.h: No such file or directory Regards Andreas Jochens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#308031: mailutils: sql injection vulnerability in sql authentication module
Package: mailutils Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In /auth/sql.c there is a function sql_escape_string (...) which does escaping of bad characters before feding them to DB. The problem is that function only escapes characters ' and (strchr ('\, *p)), but not \ . Which results in problems like ... username = foo\' something being escaped to username = foo \\' something which makes \ character literal but allows escape and subsequent injection. Solution: add \ to list of characters to be escaped. Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCfLr1HOuqnSwJthERAtZ7AJ4smJo9XKnoerYg0kpbhE/m6hig/QCg7TMl 5QeXbrluYR7K/r0bS4+zYnk= =RcZc -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307784: pam-pgsql: CAN-2004-0366
Package: pam-pgsql Severity: critical Tags: security Justification: root security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The problem reported in BUG#230875 and marked as fixed (NMU upload) was open again. The changes have disappeared. Please see the patch attached to Bug#230875 regarding sql injection problem with changing password (easy impact would be changing uid to 0 ... root compromise). Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCeiJ5HOuqnSwJthERAiigAJ0WclQhayauLF6qUHr05qdvuWpFuACgzrFQ EILLu3ovr/HW3W08sUij+n8= =a+R3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307796: xtradius: sql injection in authmysql
Package: xtradius Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is no user input verification whatsoever. In /contrib/authmysql/authmysql.c username supplied by user is fed directly to database. Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCejFCHOuqnSwJthERAgNJAKDqjliJOmulQDHg9Vxrj0a5fJ+txwCg6SOc D/mIwzGEe12kEM77RDK+h+o= =gTD3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]