oss-sec mailing list archives
Re: CVE Request: courier-authlib < 0.62.0 SQL Injection
From: Steffen Joeris <steffen.joeris () skolelinux de>
Date: Wed, 11 Mar 2009 12:04:21 +1100
Hi Pierre-Yves
From Changelog: "0.62.0 2008-12-17 Sam Varshavchik <mrsam () courier-mta com> * authpgsqllib.c: Use PQescapeStringConn() instead of removing all apostrophes from query parameters. This fixes a potential SQL injection vulnerability if the Postgres database uses a non-Latin locale." References: http://www.courier-mta.org/authlib/changelog.html http://bugs.gentoo.org/show_bug.cgi?id=252576
This should be CVE-2008-2380. Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE Request: courier-authlib < 0.62.0 SQL Injection Pierre-Yves Rofes (Mar 10)
- Re: CVE Request: courier-authlib < 0.62.0 SQL Injection Steffen Joeris (Mar 10)
