lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <877i5ug9dp.fsf@mid.deneb.enyo.de>
Date: Sat, 20 Dec 2008 16:21:38 +0100
From: Steffen Joeris <white@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1688-1] New courier-authlib packages fix SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1688                    security@...ian.org
http://www.debian.org/security/                           Steffen Joeris
December 20, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : courier-authlib
Vulnerability  : SQL injection
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-2380 CVE-2008-2667

Two SQL injection vulnerabilities have beein found in courier-authlib,
the courier authentification library.  The MySQL database interface used
insufficient escaping mechanisms when constructing SQL statements,
leading to SQL injection vulnerabilities if certain charsets are used
(CVE-2008-2380).  A similar issue affects the PostgreSQL database
interface (CVE-2008-2667).

For the stable distribution (etch), these problems have been fixed in
version 0.58-4+etch2.

For the testing distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 0.61.0-1+lenny1.

We recommend that you upgrade your courier-authlib packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz
    Size/MD5 checksum:  3342115 75b5b2b72d550048ed1b29e687a1a60d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.diff.gz
    Size/MD5 checksum:    44232 5345604d34a363e4519077032a9aeb1f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.dsc
    Size/MD5 checksum:      970 9652de3cb3cd60fa91aee7cb1e0b8dca

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:    23168 fadd251992d42011cc6a7ebd98fab8ec
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:     6872 6a4b4a3b87e9d42347e7c5ee8e373cc1
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:    20252 14b6526559b01af55bf98623d6a9dbc2
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:    20360 7fd32c031bc84d59b48e229855d7e347
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:    39046 0b4d0fe9ef5ecfa66d1cef14dc65bb89
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:     8862 90e0a8316f719256734af61ca2bf147d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:   149956 19cb601a37c170b9de0d3090c56002ab
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_alpha.deb
    Size/MD5 checksum:    92666 f2c54e7b23aa10157cf8b9704a44ed66

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:     6882 5607bf027063ab70597301e99401b57a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:    19774 ae1bee7da212b8996858b6e077fcc852
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:    34296 d42351150f3a4e621c27608aeee9144a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:     8298 8318ba2b8d4cadcd55646686534c42ff
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:   111816 985dd2b71cee857a8a44b1805dd03768
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:    22182 b5fab407e60b9e7bec23535ea8030274
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:    19942 780fbf86d2f64743d00bf82dccc45aef
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_amd64.deb
    Size/MD5 checksum:    81440 5ae5081441e0ea2e9e20ec037a25ed69

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_arm.deb
    Size/MD5 checksum:     6872 27f8dfabf8939a063a2725053d138b03
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    97966 eba6aa3b836e90a1ff85ce72c97856e1
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    18618 1446523e8fc2028b61c82874b9ddbfe9
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    32644 5d4032a7948d90f9873eb256a35c473f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    20928 81b0bf0c3bb6a012178ea76be1412c0b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_arm.deb
    Size/MD5 checksum:     7694 adfb37f7da5e86a051942defa5baeffb
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    76054 31a727fe1fab3eef91954104ce9a5b40
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_arm.deb
    Size/MD5 checksum:    18700 2f0f1c6e62d65e1faedbc1f7229f8692

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:    23602 5a8b12e1d2452b53077ad5b1cb4b08f3
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:   123784 57c772189e1a7bfc0a6f991cff14ffdd
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:    89110 07ce2983ceb249c9d9f631129d565acb
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:    20682 102963eb336587215a76b993afb64c9b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:    37816 18f3284ede8bf567622b8279e410a37c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:    20784 1c1251971aaac18f500fda9566e2787c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:     8966 936f96deb13d2c7abde35912eb22110e
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_hppa.deb
    Size/MD5 checksum:     6878 a3e177edd667d1b89b2acd0d16529cb2

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_i386.deb
    Size/MD5 checksum:    76266 9abde4499ec4919ce1ee6633e2871aad
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_i386.deb
    Size/MD5 checksum:   100192 9f3bd2ea757c627fae011129bcf14bae
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_i386.deb
    Size/MD5 checksum:     7728 9cf2c4ddfe99f0db67e46e353f39d883
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_i386.deb
    Size/MD5 checksum:    33184 fb771a57caaac542a78141efb27f0b0d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_i386.deb
    Size/MD5 checksum:    18754 3d19957c59c1ad0698523390fb19c5c7
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_i386.deb
    Size/MD5 checksum:    18692 f60e095965045a5bd389b052917dd98f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_i386.deb
    Size/MD5 checksum:     6878 53ff4849663f484dd32b1cdcb2015e39
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_i386.deb
    Size/MD5 checksum:    21136 218beca3fda1b69bb92ee651c1216a6f

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:    44658 63ccc17e4a93a71423a1cefccfd032d0
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:   147862 b75faf449376d7f8d601e6fb610b28b2
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:     6878 d892eeb8581570f4c9b3772d618bbb41
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:   109816 5f52dc98ce62c00cfb3dd05ce7ae8ac4
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:    10114 98ab7d1303bd6bfbd550bafb712d551f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:    23788 f0dd7e45dc8cefc82744622f426a9b16
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:    28012 313a36d030a0f2d7e6c1a0ff057e0474
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_ia64.deb
    Size/MD5 checksum:    23670 6ae95423f408ff5b431536e4d934e09b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_mips.deb
    Size/MD5 checksum:     6884 20dc9fbb351bf8c8ce0cbaf3625b4175
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_mips.deb
    Size/MD5 checksum:    81760 773ab2a44f73d8776f4c773c0f37ff47
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_mips.deb
    Size/MD5 checksum:   124568 955cb5ddad18933638b22d022817524a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_mips.deb
    Size/MD5 checksum:    35150 ed3d846058245e93aaa8417ff4773761
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_mips.deb
    Size/MD5 checksum:    19394 5481da3efe4b88040ea1cc355ff664ac
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_mips.deb
    Size/MD5 checksum:    21814 c26ef062bfc68a6fb7f0f19640774a8d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_mips.deb
    Size/MD5 checksum:     8112 ef79a0fc7f0425425488845b44ecbd14
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_mips.deb
    Size/MD5 checksum:    19340 6ab700571fe303005763cc55fa2a9d47

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:    81626 a98cb782eb9ac71dbc7cdc148190d4e8
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:    19402 0a22244477b87b572cb864ecb6de5e04
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:    21936 8be79200e34bc0772bc11bf440ef8155
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:    35924 660a86bbc151ac2326641f0c12d3ba2b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:     6876 39554139fc894f21349284780882ad4e
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:   120836 c863a7ee2e9a024d017dc87f1384def5
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:     8124 3ebee4b6e23b4eb939c03f52d822dea7
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_mipsel.deb
    Size/MD5 checksum:    19396 96746e0f3577918cfbbb3118d78f6424

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:     8244 54f6e43f51140bf09f871658da742d4f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:    35682 175f7cee84457c57dce1bd3915f9b48b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:    88018 de4c18fbeb549d43de7189023a887b09
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:     6880 4ae52c04c9446d42b39a2340ed2e9ae7
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:    21996 54f45485b1f88781ee145dcd6847afc3
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:    19746 ba53ebc588b12d139e175e6a3b0e2315
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:    19596 aece91a5ad82c97d0f6f0b0c75a1e628
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_powerpc.deb
    Size/MD5 checksum:   110260 a7f3e9b62fa4dab338af7464562e7f29

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_s390.deb
    Size/MD5 checksum:    84426 12adf5edd57f25e8dda31417bffe5277
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_s390.deb
    Size/MD5 checksum:    22658 bff8b619d28a2c02c0e0d228b31a2828
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_s390.deb
    Size/MD5 checksum:    35816 f057afbbba8dafbc5827dfa504b842b6
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_s390.deb
    Size/MD5 checksum:     6872 60905c2b17770da18a483849809dd4b0
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_s390.deb
    Size/MD5 checksum:     8194 8102bda398f54234ebeabcb5c2bbcfff
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_s390.deb
    Size/MD5 checksum:    19886 120cc50919aefebe724141543173ff6a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_s390.deb
    Size/MD5 checksum:   102794 5abef9d9db542efb812b1f40c331fe10
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_s390.deb
    Size/MD5 checksum:    19678 07d4fdb3dfe964f7770f99a29a8cc405

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:     6882 19e4ec02b0d0a26482db9d1e0d1f168a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:    19080 347c0a4835423e986b618c38c4f3586c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:   102236 086d13b5f6c3c17b622135138a0e703d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:    21726 0485cac725699e762019d63304762eab
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:    33400 4790920e8e38c0484caa4d8b4b6fa74f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:    75614 355dc789b011cd3b95485d08fcf093c5
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:    19072 73849401eddf1746db3d399f17bdd788
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_sparc.deb
    Size/MD5 checksum:     7774 533a11e8ddb8bb68a0e2defbeecf6b0c


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJTQzXAAoJEL97/wQC1SS+ZowH/3qn5mXCDhGve59HqtxW3ngu
M6ylx6jfaL9u8H45+UpTKi+GPB/WCaoJxpZjAdK3xIjpOKR1bSzfnxI0YtDsNsaR
/0nbgWgg3bi6iVNyB5M84mF/BxqOdKrXcNvG/iwXwG+v0v8A8bZ/KeLBD6U14Pkl
79N8/f2INwF1OvnOMWqRDjcYAj65sV9Ez8M8SMZDxQvfK2VNIEItw22th7HAbZ0K
L0sGmrGvVa6KQJ5cuUCZW30jfBS52Jn3GLV7ws1oGlZyMefb1rJslfDKewvpv5IM
3JLj9F6RLluer5eVoUhf8SVM0fgiH3Py0pk5LRN4M5JSSIW5OeW1VD7FZgSZG4c=
=u7OX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ