Summary: | =dev-ml/postgresql-ocaml-1.12.1: Missing escape function (CVE-2009-2943) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Martin Alexander Neumann <hotpotatorouting> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | ml |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.auscert.org.au/render.html?it=11808 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Martin Alexander Neumann
2009-10-15 17:37:21 UTC
CVE-2009-2943 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2943): The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. 2009-09-18: Fixed serious bug in new escape_string method. PLEASE UPGRADE!!! 2009-09-08: API-change: deleted "escape_string" function. There is now a method "escape_string" in the connection class, which is not deprecated and hence safer. ??? I see no mention of latest version in those cve & bug reports. Time to revisit this. None of the versions available in the tree are listed in the CVE. 1.7.0 was removed three years ago. (A year and half before this bug was reported.) 1.12.1 was removed a year ago. 1.5.4 never was in the tree. According to the ChangeLog anyway. Vulnerable version removed 09 Apr 2010. Closing noglsa. |