Bug#633637: marked as done (Exploitable remotely: SQL injection)

Mon, 18 Jul 2011 01:51:55 -0700 

Your message dated Mon, 18 Jul 2011 08:50:05 +0000
with message-id <e1qijwf-0002sh...@franck.debian.org>
and subject line Bug#633637: fixed in libapache2-mod-authnz-external 3.2.4-2.1
has caused the Debian Bug report #633637,
regarding Exploitable remotely: SQL injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
633637: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633637
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libapache2-mod-authnz-external
Version: 3.2.4-2
Severity: critical
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

According to
http://code.google.com/p/mod-auth-external/issues/detail?id=5 there's a
possible remote sql injection bug. The fix is a two liner:

- --- trunk/mod_authnz_external/mysql/mysql-auth.pl
+++ trunk/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@
exit 1;
}

- -my $dbq = $dbh->prepare("select username as username, password as password 
from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password 
from users where username=?;");
+$dbq->bind_param(1, $user);
$dbq->execute;
+
my $row = $dbq->fetchrow_hashref();

if ($row->{username} eq "") {


Thanks!


- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-authnz-external depends on:
ii  apache2.2-common              2.2.19-1   Apache HTTP Server common files
pn  libc6                         <none>     (no description available)

Versions of packages libapache2-mod-authnz-external recommends:
ii  pwauth                        2.3.8-1    authenticator for mod_authnz_exter

libapache2-mod-authnz-external suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4cMpUACgkQNFDtUT/MKpAAlwCgqrEBO0A+HUB4eLWSpOf5RUf7
kGkAoKTMd0zZUneJvsHnj7O+DfxXFbMZ
=w70I
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: libapache2-mod-authnz-external
Source-Version: 3.2.4-2.1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-authnz-external, which is due to be installed in the Debian FTP 
archive:

libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
  to 
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
libapache2-mod-authnz-external_3.2.4-2.1.dsc
  to 
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1.dsc
libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
  to 
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 633...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated 
libapache2-mod-authnz-external package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 18 Jul 2011 10:26:11 +1000
Source: libapache2-mod-authnz-external
Binary: libapache2-mod-authnz-external
Architecture: source amd64
Version: 3.2.4-2.1
Distribution: unstable
Urgency: high
Maintainer: Hai Zaar <haiz...@haizaar.com>
Changed-By: Steffen Joeris <wh...@debian.org>
Description: 
 libapache2-mod-authnz-external - authenticate Apache against external 
authentication services
Closes: 633637
Changes: 
 libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix SQL injection via the $user paramter (Closes: #633637)
     Fixes: CVE-2011-2688
Checksums-Sha1: 
 0de6e958e966f184447226c4fa59fd96b1b3f343 1214 
libapache2-mod-authnz-external_3.2.4-2.1.dsc
 df06932fe7da2cbb6a00b4d5d74d3e1fe7de447c 3613 
libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
 47222b3442e64d3217f73b319d84b313b77987b6 24640 
libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
Checksums-Sha256: 
 3b0844019250924afb235d15bc6fb27095ed25b6b332eccbcb3dd8a1c83accb6 1214 
libapache2-mod-authnz-external_3.2.4-2.1.dsc
 7255a4c23a948d943bf9a815f45cf94a6c9c6bf3ca09706b3b5921655e2038f4 3613 
libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
 70fc8d5f3028511ea740ab8292177daa1a9c489f053d70b9eec440dabcf2b0f7 24640 
libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
Files: 
 7840d7735cd2e33f014228c7c3796509 1214 web optional 
libapache2-mod-authnz-external_3.2.4-2.1.dsc
 58c4d961fa1ce9010027c4d3454c5ead 3613 web optional 
libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
 4cdf5d46a542c1431d3224cde7ebf42e 24640 web optional 
libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4jf6IACgkQ62zWxYk/rQcDZACeOmzxWS11MoBQmJVG3e4K9XOl
MhEAn2IbmG6irpoYx5KourhC5aadyefL
=BlZk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to