Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386165 - <www-apache/mod_authnz_external-3.2.6: SQL injection (CVE-2011-2688)
Summary: <www-apache/mod_authnz_external-3.2.6: SQL injection (CVE-2011-2688)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-07 22:49 UTC by GLSAMaker/CVETool Bot
Modified: 2011-10-25 17:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:49:16 UTC 
CVE-2011-2688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2688):
  SQL injection vulnerability in mysql/mysql-auth.pl in the
  mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server
  allows remote attackers to execute arbitrary SQL commands via the user
  field.


3.2.6 contains the fix.

I have just checked the source; our latest stable version (3.1.0) is affected as well.

Please bump.
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2011-10-14 17:31:40 UTC 
+  14 Oct 2011; Steve Dibb <beandog@gentoo.org>
+  +mod_authnz_external-3.2.6.ebuild:
+  Version bump, security bug 386165
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-10-14 17:42:26 UTC 
(In reply to comment #1)
> +  14 Oct 2011; Steve Dibb <beandog@gentoo.org>
> +  +mod_authnz_external-3.2.6.ebuild:
> +  Version bump, security bug 386165

Great, thanks.

Arches, please test and mark stable:
=www-apache/mod_authnz_external-3.2.6
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-14 21:46:39 UTC 
amd64 ok
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-15 21:34:45 UTC 
x86 stable
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-10-16 12:08:27 UTC 
amd64 ok
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-10-18 10:14:45 UTC 
+  18 Oct 2011; Tony Vroon <chainsaw@gentoo.org>
+  mod_authnz_external-3.2.6.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #386165.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-18 10:18:27 UTC 
GLSA: yes
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-10-18 14:42:27 UTC 
GLSA Vote: yes too. request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 17:15:42 UTC 
This issue was resolved and addressed in
 GLSA 201110-23 at http://security.gentoo.org/glsa/glsa-201110-23.xml
by GLSA coordinator Alex Legler (a3li).
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-25 17:16:10 UTC 
Please also remove the vulnerable ebuilds from the tree, thanks.