Hi, I recently wrote to team@security.debian.org regarding a security update for python-pgsql. Joey wrote back with the following response: > Please upload into proposed-updates after discussing this issue with > the stable release team. The issue is described in bug #369250; essentially it fixes a security hole due to bad escaping of quotes in some encodings (CVE-2006-2314). AIUI there has been a recent update to the postgresql servers in debian that fixes this at the server end (DSA-1087-1). If the current python-pgsql attempts to connect to a patched server using one of the affected encodings, the transations will fail. If it attempts to connect to an unpatched server, the security hole can still be exploited. DSA-1087-1 advises users to update their python-pgsql; the update they are referring to is the one I am posting here. Attached are .diff.gz and .dsc files that fix the problem in stable (with new version python-pgsql_2.4.0-5sarge1). Is this suitable for uploading to proposed-updates? Thanks - Ben.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.0 Source: python-pgsql Version: 2.4.0-5sarge1 Binary: python-pgsql, python2.2-pgsql, python2.3-pgsql, python2.1-pgsql Maintainer: Ben Burton <bab@debian.org> Architecture: any Standards-Version: 3.6.1 Build-Depends: debhelper (>> 3.0.48), ed, postgresql-dev (>= 7.2.1), python2.1-dev, python2.2-dev, python2.3-dev Files: 8954d163ce05ab245ca1a1151684ec7f 152259 python-pgsql_2.4.0.orig.tar.gz 4d0f3a419d10296518bc3b7002865ee4 11820 python-pgsql_2.4.0-5sarge1.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEgFvsMQNuxza4YcERArzXAJ97nUpXZhTADmKjjOk7wYG70o+70wCgmWUI kKGg0xtreYUFxBnKDcPe28c= =oUI0 -----END PGP SIGNATURE-----
Attachment:
python-pgsql_2.4.0-5sarge1.diff.gz
Description: Binary data