[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: packages that use deprecated SQL escape functions

Hi Charles

On Thu, 15 Oct 2009 01:50:35 pm Charles Plessy wrote:
> Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit :
> > In the near future, I will try to do the archive scan again and file bugs
> > with severity "normal" for the packages below that are still relying on
> > the deprecated functions. (Should they be found vulnerable, the severity
> > will be raised of course).
> Dear Steffen,
> shouldn’t the upstream maintainer(s) be warned before the security issue is
> advertised in public?
Before I sent the list, I checked some of the major packages together with the 
maintainers, so there was some work that happened in the background before 
publication. Also, I don't expect many of the packages below to be vulnerable, 
because not every applications allows the setting of the client encoding.
Also, I've released a few DSAs to update common bindings in different languages 
that only offered the deprecated functions. At this stage, it is better to 
publish this list and ask the maintainers for help, because we don't have the 
manpower to check them all individually and test them.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: