CVE-2011-2688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2688): SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. 3.2.6 contains the fix. I have just checked the source; our latest stable version (3.1.0) is affected as well. Please bump.
+ 14 Oct 2011; Steve Dibb <beandog@gentoo.org> + +mod_authnz_external-3.2.6.ebuild: + Version bump, security bug 386165
(In reply to comment #1) > + 14 Oct 2011; Steve Dibb <beandog@gentoo.org> > + +mod_authnz_external-3.2.6.ebuild: > + Version bump, security bug 386165 Great, thanks. Arches, please test and mark stable: =www-apache/mod_authnz_external-3.2.6 Target keywords : "amd64 x86"
amd64 ok
x86 stable
+ 18 Oct 2011; Tony Vroon <chainsaw@gentoo.org> + mod_authnz_external-3.2.6.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #386165.
GLSA: yes
GLSA Vote: yes too. request filed.
This issue was resolved and addressed in GLSA 201110-23 at http://security.gentoo.org/glsa/glsa-201110-23.xml by GLSA coordinator Alex Legler (a3li).
Please also remove the vulnerable ebuilds from the tree, thanks.