Your message dated Fri, 16 Jun 2006 14:33:22 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369239: fixed in pygresql 1:3.8.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: pygresql
Version: 1:3.7-1
Severity: important
Tags: security, patch
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack.
Quotes in the pgdb wrapper are already correctly escaped as '', but
some functions in the classic pg module still use \'. This patch fixes that:
http://patches.ubuntu.com/patches/pygresql.CVE-2006-2314.diff
Please mention the CVE number in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: pygresql
Source-Version: 1:3.8.1-1
We believe that the bug you reported is fixed in the latest version of
pygresql, which is due to be installed in the Debian FTP archive:
pygresql_3.8.1-1.diff.gz
to pool/main/p/pygresql/pygresql_3.8.1-1.diff.gz
pygresql_3.8.1-1.dsc
to pool/main/p/pygresql/pygresql_3.8.1-1.dsc
pygresql_3.8.1.orig.tar.gz
to pool/main/p/pygresql/pygresql_3.8.1.orig.tar.gz
python-pygresql_3.8.1-1_i386.deb
to pool/main/p/pygresql/python-pygresql_3.8.1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <[EMAIL PROTECTED]> (supplier of updated pygresql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Jun 2006 21:43:33 +0200
Source: pygresql
Binary: python-pygresql
Architecture: source i386
Version: 1:3.8.1-1
Distribution: unstable
Urgency: high
Maintainer: Matthias Klose <[EMAIL PROTECTED]>
Changed-By: Matthias Klose <[EMAIL PROTECTED]>
Description:
python-pygresql - PostgreSQL module for Python
Closes: 369239 373494
Changes:
pygresql (1:3.8.1-1) unstable; urgency=low
.
* New upstream version.
* Convert to updated Python policy. Closes: #373494.
.
pygresql (1:3.8-1.1) unstable; urgency=high
.
* NMU with the maintainer's permission.
* Urgency high since this only fixes an important bug with a trivial patch.
* pg.py, _quote(): Escape quotes in strings as '', not as \', since the
latter does not work any more with some client encodings with the latest
PostgreSQL (in some multi-byte encodings you can exploit \' escaping to
inject SQL code, see CVE-2006-2314). Closes: #369239
Files:
9fbcc07e88bb3ded6e8a45c8d94ef703 675 python optional pygresql_3.8.1-1.dsc
5575979dac93c9c5795d7693a8f91c86 81186 python optional
pygresql_3.8.1.orig.tar.gz
7c20b3cd41849952ab0057be36ef929c 3304 python optional pygresql_3.8.1-1.diff.gz
dc27e5e6c4af2c139f9b081679ba4d9b 104310 python optional
python-pygresql_3.8.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEkw2jStlRaw+TLJwRAhynAKDH6e6h1RNekU1099RRh1GuBfWdLwCfdmCh
exFTRRnbOH+AxsaeEuy52zE=
=/U97
-----END PGP SIGNATURE-----
--- End Message ---
