oss-sec mailing list archives

Re: CVE Request: courier-authlib < 0.62.0 SQL Injection


From: Steffen Joeris <steffen.joeris () skolelinux de>
Date: Wed, 11 Mar 2009 12:04:21 +1100

Hi Pierre-Yves

From Changelog:

"0.62.0
2008-12-17  Sam Varshavchik  <mrsam () courier-mta com>

* authpgsqllib.c: Use PQescapeStringConn() instead of removing all
 apostrophes from query parameters. This fixes a potential SQL injection
 vulnerability if the Postgres database uses a non-Latin locale."

References:
http://www.courier-mta.org/authlib/changelog.html
http://bugs.gentoo.org/show_bug.cgi?id=252576
This should be CVE-2008-2380.


Cheers
Steffen

Attachment: signature.asc
Description: This is a digitally signed message part.


Current thread: