Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#4692 - Postgres SQL Injection Attack - ALST

Attached to Project: Arch Linux
Opened by James Fryman (jfryman) - Wednesday, 24 May 2006, 11:28 GMT
Task Type Bug Report
Category System
Status Closed
Assigned To No-one
Architecture not specified
Severity Medium
Priority Normal
Reported Version 0.7.1 Noodle
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Issue
=====
Two vulnerabilities have been reported in PostgreSQL, which
potentially can be exploited by malicious people to conduct SQL
injection attacks.

The vulnerabilities are caused due to the differences in the way
PostgreSQL server and non-encoding aware applications interpret SQL
query strings that contain certain multi-byte characters. A
non-encoding aware application may insert escape characters into a
malicious query string (e.g. to escape single-quote or backslash
characters), without realizing that the escape characters will be
interpreted as part of a multi-byte character sequence by the server.
This can be exploited to conduct SQL injection attacks by injecting
certain multi-byte characters into the query string.

Successful exploitation allows bypassing of SQL injection escaping
code that are implemented in non-encoding aware applications.

Solution
========
Postgres 8.1.4 has been released to patch this vulnerability. It can be downloaded at:
http://www.postgresql.org/download/

References
==========
http://archives.postgresql.org/pgsql-announce/2006-05/msg00010.php
This task depends upon

Closed by  Judd Vinet (judd)
Wednesday, 24 May 2006, 16:45 GMT
Reason for closing:  Fixed
Additional comments about closing:  Upgraded

Loading...