Your message dated Sat, 24 Feb 2007 13:58:51 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#303991: fixed in dbmail 2.2.1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: dbmail-mysql
Version: 1.2.11-1
Severity: grave
Tags: security
Justification: user security hole
Initially spotted as I'd tried to set up an account with an owner name of
"Familly" and was being told that "Familly" was not a valid column in
the table. Further investigation of the source code showed no escaping
of user supplied data. I was using md5 passwords, so perhaps a quote or
something managed to get into the query.
I've downloaded version 2 from the upstream site and a lot of work has
been done on this so I'm far happier to use that. The package design
looks quite solid. I'd have still preferred parameterised queries as
that's a lot more bulletproof. Version 2's database access has been
spread around a little more so it's harder to retrofit that there
(will take a bit more code reading to work out how best). I don't know
whether or not MySQL or Postgress would take advantage of query caching
if parameterised queries are used.
Thanks
- Richard
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-mm4
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages dbmail-mysql depends on:
ii debconf 1.4.47 Debian configuration management sy
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libmysqlclient10 3.23.56-2 LGPL-licensed client library for M
ii ucf 1.17 Update Configuration File: preserv
--- End Message ---
--- Begin Message ---
Source: dbmail
Source-Version: 2.2.1-1
We believe that the bug you reported is fixed in the latest version of
dbmail, which is due to be installed in the Debian FTP archive:
dbmail-mysql_2.2.1-1_i386.deb
to pool/main/d/dbmail/dbmail-mysql_2.2.1-1_i386.deb
dbmail-pgsql_2.2.1-1_i386.deb
to pool/main/d/dbmail/dbmail-pgsql_2.2.1-1_i386.deb
dbmail_2.2.1-1.diff.gz
to pool/main/d/dbmail/dbmail_2.2.1-1.diff.gz
dbmail_2.2.1-1.dsc
to pool/main/d/dbmail/dbmail_2.2.1-1.dsc
dbmail_2.2.1-1_i386.deb
to pool/main/d/dbmail/dbmail_2.2.1-1_i386.deb
dbmail_2.2.1.orig.tar.gz
to pool/main/d/dbmail/dbmail_2.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul J Stevens <[EMAIL PROTECTED]> (supplier of updated dbmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 18 Nov 2006 17:04:56 +0100
Source: dbmail
Binary: dbmail dbmail-pgsql dbmail-mysql
Architecture: source i386
Version: 2.2.1-1
Distribution: unstable
Urgency: low
Maintainer: Amaya Rodrigo <[EMAIL PROTECTED]>
Changed-By: Paul J Stevens <[EMAIL PROTECTED]>
Description:
dbmail - base package for the dbmail email solution
dbmail-mysql - MySQL module for Dbmail
dbmail-pgsql - Postgresql module for Dbmail
Closes: 235026 236406 256236 284770 288956 290833 303991 308204 310182 310183
315404 331793 334438 336044 351341 358832 376381 380713
Changes:
dbmail (2.2.1-1) unstable; urgency=low
.
* new upstream release (closes: #351341)
* Provide a common package (closes: #236406).
* Fixes sql insertion vulnerabilities (closes: #290833, #303991).
* Stop services in prerm (closes: #256236).
* Find postgresql headers during build (closes: #315404).
* Don't rely on ucf when purging (closes: #334438).
* Fix problem in stunnel startup (closes: #288956).
* Correctly install init scripts (Closes: #235026)
* Fixes build failures (Closes: #284770, #376381).
* Add debconf-2.0 alternate (Closes: #331793).
* Update MySQL dependency (Closes: #358832).
* Add debconf translations (Closes: #310183, #308204, #310182, #336044).
* Make init script lsb compliant.
* Build-depends on automake1.9 instead of automaken (Closes: #380713).
Files:
8580fdcc1ef5ad54d47a3a375bbd4a05 836 mail optional dbmail_2.2.1-1.dsc
0023c5b55bdd2856ed4ec44c729adfdd 848546 mail optional dbmail_2.2.1.orig.tar.gz
c8c4c6fd74e7697f04532d05983c4ebb 19298 mail optional dbmail_2.2.1-1.diff.gz
bfcc561d3aa5360dcfdb1459941e97c3 251178 mail optional dbmail_2.2.1-1_i386.deb
6690fb43518acdfda8a8dc21a07b381f 16698 mail optional
dbmail-pgsql_2.2.1-1_i386.deb
8fdc4a4a9c638a677519e5e0f9ee3414 17436 mail optional
dbmail-mysql_2.2.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iEYEARECAAYFAkW58LkACgkQNFDtUT/MKpDqVgCgqLSNZIk2a/b4gTDh3YC8JyqU
SWQAnRosN5JpE11ASr6R7hw9GinBdwP8
=QMM6
-----END PGP SIGNATURE-----
--- End Message ---
