Re: [SECURITY] [DSA 469-1] New libpam-pgsql packages fix SQL injection

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 469-1] New libpam-pgsql packages fix SQL injection
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 29 Mar 2004 16:13:59 +0200
Message-id: <[🔎] 20040329141359.GA19349@deneb.enyo.de>
In-reply-to: <m1B7x3h-000owuC@finlandia.Infodrom.North.DE>
References: <m1B7x3h-000owuC@finlandia.Infodrom.North.DE>

Martin Schulze wrote:

> Package        : pam-pgsql
> Vulnerability  : missing input sanitising
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CAN-2004-0366
> 
> Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to
> authenticate using a PostgreSQL database.  The library does not escape
> all user-supplied data that are sent to the database.  An attacker
> could exploit this bug to insert SQL statements.

How does this differ from

<http://cert.uni-stuttgart.de/advisories/postgresql_pam_nss.php>?

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: postino.it, tiscali.co.uk, tiscali.cz, tiscali.it,
voila.fr.

Reply to:

Prev by Date: Does apt check gpg signatures before install
Next by Date: Re: downgrade to stable
Previous by thread: Re: Does apt check gpg signatures before install
Next by thread: Re: Hey, dude, it's me ^_^ :P (SpamEnder: BLOCKED C2EB-SE60215-debian-security@lists.debian.org)
Index(es):
- Date
- Thread