Your message dated Tue, 19 Jul 2011 19:57:45 +0000
with message-id <e1qjgql-0001mw...@franck.debian.org>
and subject line Bug#633637: fixed in libapache2-mod-authnz-external
3.2.4-2+squeeze1
has caused the Debian Bug report #633637,
regarding Exploitable remotely: SQL injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
633637: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633637
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mod-authnz-external
Version: 3.2.4-2
Severity: critical
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
According to
http://code.google.com/p/mod-auth-external/issues/detail?id=5 there's a
possible remote sql injection bug. The fix is a two liner:
- --- trunk/mod_authnz_external/mysql/mysql-auth.pl
+++ trunk/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@
exit 1;
}
- -my $dbq = $dbh->prepare("select username as username, password as password
from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password
from users where username=?;");
+$dbq->bind_param(1, $user);
$dbq->execute;
+
my $row = $dbq->fetchrow_hashref();
if ($row->{username} eq "") {
Thanks!
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-authnz-external depends on:
ii apache2.2-common 2.2.19-1 Apache HTTP Server common files
pn libc6 <none> (no description available)
Versions of packages libapache2-mod-authnz-external recommends:
ii pwauth 2.3.8-1 authenticator for mod_authnz_exter
libapache2-mod-authnz-external suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4cMpUACgkQNFDtUT/MKpAAlwCgqrEBO0A+HUB4eLWSpOf5RUf7
kGkAoKTMd0zZUneJvsHnj7O+DfxXFbMZ
=w70I
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: libapache2-mod-authnz-external
Source-Version: 3.2.4-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-authnz-external, which is due to be installed in the Debian FTP
archive:
libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
to
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
to
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
to
main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 633...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated
libapache2-mod-authnz-external package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 Jul 2011 10:31:23 +1000
Source: libapache2-mod-authnz-external
Binary: libapache2-mod-authnz-external
Architecture: source amd64
Version: 3.2.4-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Hai Zaar <haiz...@haizaar.com>
Changed-By: Steffen Joeris <wh...@debian.org>
Description:
libapache2-mod-authnz-external - authenticate Apache against external
authentication services
Closes: 633637
Changes:
libapache2-mod-authnz-external (3.2.4-2+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix SQL injection via $user parameter (Closes: #633637)
Fixes: CVE-2011-2688
Checksums-Sha1:
47ff2c5d9fce527e510bbd23c35b88bdd4251782 1242
libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
517401421ffe6db02a5e5c34f650f653d05affd5 37593
libapache2-mod-authnz-external_3.2.4.orig.tar.gz
7aa00718867a1330252229a8986de2d6aaa5d6b3 3713
libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
ba7e84f3115eb03e11d60c6e2f3b5d68e060a2cc 24642
libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
Checksums-Sha256:
3d796382343cce8509161d32777666772b3d850a6dc240ed89c1eb8986e72366 1242
libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
a5fad1559a8b825e86be4458290405bb1bb9379576ba072c3f4279400ee3b915 37593
libapache2-mod-authnz-external_3.2.4.orig.tar.gz
d10769a4600e7014d965a4d82f4d48af88c858d0f515178c6d60a8510149af2a 3713
libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
78e07b55ee6b642252dee670a5fafaab118cb765a9b0f3beff4d6f767ba4f78d 24642
libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
Files:
73fef44c4760dfee0077e68d12200010 1242 web optional
libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
055de3666b720065dda2e83293cd2d2a 37593 web optional
libapache2-mod-authnz-external_3.2.4.orig.tar.gz
e469472990b79acd397f6e586827485f 3713 web optional
libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
95729988d97b070642291b4b4c125ec9 24642 web optional
libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4jgLoACgkQ62zWxYk/rQeqlgCdEiocyu3V17+a7Waz2aCYsOPJ
4zwAoLchSy7rwVkVHQ/JVO3En7licYoi
=rext
-----END PGP SIGNATURE-----
--- End Message ---
