Summary: | <dev-db/pygresql-4.1.1 : Missing escape function (CVE-2009-2940) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Martin Alexander Neumann <hotpotatorouting> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | pgsql-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.auscert.org.au/render.html?it=11808 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Martin Alexander Neumann
2009-10-15 17:45:39 UTC
Sorry, arches. CVE-2009-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2940): The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. Please stabilize: =dev-db/pygresql-4.1.1 Stable for HPPA. amd64 stable x86 stable ppc stable 3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or just migrate to 4.x branch. alpha stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Yury German from comment #8) > 3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or > just migrate to 4.x branch. We're stabling 4.1.1 to remove the vulnerable versions from the tree. 27 Jan 2014; Aaron W. Swenson <titanofold@gentoo.org> -pygresql-3.8.1.ebuild, -pygresql-4.0.ebuild: Clean out old versions. GLSA vote: no GLSA vote: no Closing as noglsa |