Debian Bug report logs - #521823
SQL injection

version graph

Package: auth2db; Maintainer for auth2db is Ulises Vitulli <dererk@debian.org>; Source for auth2db is src:auth2db.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Mon, 30 Mar 2009 09:54:02 UTC

Severity: important

Tags: security

Found in version auth2db/0.2.5-2+dfsg-1

Fixed in versions auth2db/0.2.5-2+dfsg-1.1, 0.2.5-2+dfsg-1+lenny1, 0.2.5-2+dfsg-1.1

Done: Steffen Joeris <steffen.joeris@skolelinux.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ulises Vitulli <uvitulli@fi.uba.ar>:
Bug#521823; Package auth2db. (Mon, 30 Mar 2009 09:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Ulises Vitulli <uvitulli@fi.uba.ar>. (Mon, 30 Mar 2009 09:54:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: SQL injection
Date: Mon, 30 Mar 2009 20:35:15 +1100
[Message part 1 (text/plain, inline)]
Package: auth2db
Version: 0.2.5-2+dfsg-1
Severity: grave
Tags: security

Hi

auth2db uses addslashes, which doesn't protect against SQL injections,
when used with multibyte character encodings.
As discussed via private mails, the NMU patch is attached.

Cheers
Steffen
[nmu.patch (text/x-diff, attachment)]

Bug marked as fixed in version 0.2.5-2+dfsg-1.1. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 30 Mar 2009 10:09:05 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 0.2.5-2+dfsg-1+lenny1. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 30 Mar 2009 10:09:06 GMT) Full text and rfc822 format available.

Severity set to `important' from `grave' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 30 Mar 2009 14:24:05 GMT) Full text and rfc822 format available.

Reply sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
You have taken responsibility. (Sun, 12 Apr 2009 03:12:03 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sun, 12 Apr 2009 03:12:03 GMT) Full text and rfc822 format available.

Message #16 received at 521823-done@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 521823-done@bugs.debian.org
Subject: bug was fixed
Date: Sun, 12 Apr 2009 14:11:14 +1100
Version: 0.2.5-2+dfsg-1.1




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:27:41 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:54:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.