Bug#323052: pam-pgsql: FTBFS: libpq-fe.h: No such file or directory
Thank you for your report. I'm waiting for my sponsor to get back from vacation. Then I'll be able to upload version compatible with new directory structure of postgresql libraries in Debian. Regards, Primoz Bratanic On Sun, 2005-08-14 at 14:22 +0200, Andreas Jochens wrote: Package: pam-pgsql Version: 0.5.2-9 Severity: serious When building 'pam-pgsql' on unstable, I get the following error: make[1]: Entering directory `/pam-pgsql-0.5.2' cc -fPIC -DPIC -Wall -D_GNU_SOURCE -I/usr/include-c -o pam_pgsql.o pam_pgsql.c pam_pgsql.c:19:22: error: libpq-fe.h: No such file or directory Regards Andreas Jochens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#308031: mailutils: sql injection vulnerability in sql authentication module
Package: mailutils
Severity: grave
Tags: security
Justification: user security hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In /auth/sql.c there is a function sql_escape_string (...) which does
escaping of bad characters before feding them to DB. The problem is that
function only escapes characters ' and (strchr ('\, *p)), but not \ .
Which results in problems like ... username = foo\' something being
escaped to username = foo \\' something which makes \ character literal
but allows escape and subsequent injection.
Solution: add \ to list of characters to be escaped.
Primoz Bratanic
- -- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCfLr1HOuqnSwJthERAtZ7AJ4smJo9XKnoerYg0kpbhE/m6hig/QCg7TMl
5QeXbrluYR7K/r0bS4+zYnk=
=RcZc
-END PGP SIGNATURE-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307784: pam-pgsql: CAN-2004-0366
Package: pam-pgsql Severity: critical Tags: security Justification: root security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The problem reported in BUG#230875 and marked as fixed (NMU upload) was open again. The changes have disappeared. Please see the patch attached to Bug#230875 regarding sql injection problem with changing password (easy impact would be changing uid to 0 ... root compromise). Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCeiJ5HOuqnSwJthERAiigAJ0WclQhayauLF6qUHr05qdvuWpFuACgzrFQ EILLu3ovr/HW3W08sUij+n8= =a+R3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#307796: xtradius: sql injection in authmysql
Package: xtradius Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is no user input verification whatsoever. In /contrib/authmysql/authmysql.c username supplied by user is fed directly to database. Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCejFCHOuqnSwJthERAgNJAKDqjliJOmulQDHg9Vxrj0a5fJ+txwCg6SOc D/mIwzGEe12kEM77RDK+h+o= =gTD3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
