It was discovered that pygresql, a PostgreSQL module for Python, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The new function is called pg_escape_string(), which takes the database connection as a first argument. The old function escape_string() has been preserved as well for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. Reproducible: Didn't try
Sorry, arches.
CVE-2009-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2940): The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.
Please stabilize: =dev-db/pygresql-4.1.1
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or just migrate to 4.x branch.
alpha stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Yury German from comment #8) > 3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or > just migrate to 4.x branch. We're stabling 4.1.1 to remove the vulnerable versions from the tree.
27 Jan 2014; Aaron W. Swenson <titanofold@gentoo.org> -pygresql-3.8.1.ebuild, -pygresql-4.0.ebuild: Clean out old versions.
GLSA vote: no
GLSA vote: no Closing as noglsa