[<prev] [next>] [day] [month] [year] [list]
Message-ID: <877i5ug9dp.fsf@mid.deneb.enyo.de>
Date: Sat, 20 Dec 2008 16:21:38 +0100
From: Steffen Joeris <white@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1688-1] New courier-authlib packages fix SQL injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1688 security@...ian.org
http://www.debian.org/security/ Steffen Joeris
December 20, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : courier-authlib
Vulnerability : SQL injection
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-2380 CVE-2008-2667
Two SQL injection vulnerabilities have beein found in courier-authlib,
the courier authentification library. The MySQL database interface used
insufficient escaping mechanisms when constructing SQL statements,
leading to SQL injection vulnerabilities if certain charsets are used
(CVE-2008-2380). A similar issue affects the PostgreSQL database
interface (CVE-2008-2667).
For the stable distribution (etch), these problems have been fixed in
version 0.58-4+etch2.
For the testing distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 0.61.0-1+lenny1.
We recommend that you upgrade your courier-authlib packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz
Size/MD5 checksum: 3342115 75b5b2b72d550048ed1b29e687a1a60d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.diff.gz
Size/MD5 checksum: 44232 5345604d34a363e4519077032a9aeb1f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2.dsc
Size/MD5 checksum: 970 9652de3cb3cd60fa91aee7cb1e0b8dca
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 23168 fadd251992d42011cc6a7ebd98fab8ec
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 6872 6a4b4a3b87e9d42347e7c5ee8e373cc1
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 20252 14b6526559b01af55bf98623d6a9dbc2
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 20360 7fd32c031bc84d59b48e229855d7e347
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 39046 0b4d0fe9ef5ecfa66d1cef14dc65bb89
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 8862 90e0a8316f719256734af61ca2bf147d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 149956 19cb601a37c170b9de0d3090c56002ab
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_alpha.deb
Size/MD5 checksum: 92666 f2c54e7b23aa10157cf8b9704a44ed66
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 6882 5607bf027063ab70597301e99401b57a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 19774 ae1bee7da212b8996858b6e077fcc852
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 34296 d42351150f3a4e621c27608aeee9144a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 8298 8318ba2b8d4cadcd55646686534c42ff
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 111816 985dd2b71cee857a8a44b1805dd03768
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 22182 b5fab407e60b9e7bec23535ea8030274
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 19942 780fbf86d2f64743d00bf82dccc45aef
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_amd64.deb
Size/MD5 checksum: 81440 5ae5081441e0ea2e9e20ec037a25ed69
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_arm.deb
Size/MD5 checksum: 6872 27f8dfabf8939a063a2725053d138b03
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_arm.deb
Size/MD5 checksum: 97966 eba6aa3b836e90a1ff85ce72c97856e1
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_arm.deb
Size/MD5 checksum: 18618 1446523e8fc2028b61c82874b9ddbfe9
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_arm.deb
Size/MD5 checksum: 32644 5d4032a7948d90f9873eb256a35c473f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_arm.deb
Size/MD5 checksum: 20928 81b0bf0c3bb6a012178ea76be1412c0b
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_arm.deb
Size/MD5 checksum: 7694 adfb37f7da5e86a051942defa5baeffb
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_arm.deb
Size/MD5 checksum: 76054 31a727fe1fab3eef91954104ce9a5b40
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_arm.deb
Size/MD5 checksum: 18700 2f0f1c6e62d65e1faedbc1f7229f8692
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 23602 5a8b12e1d2452b53077ad5b1cb4b08f3
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 123784 57c772189e1a7bfc0a6f991cff14ffdd
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 89110 07ce2983ceb249c9d9f631129d565acb
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 20682 102963eb336587215a76b993afb64c9b
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 37816 18f3284ede8bf567622b8279e410a37c
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 20784 1c1251971aaac18f500fda9566e2787c
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 8966 936f96deb13d2c7abde35912eb22110e
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_hppa.deb
Size/MD5 checksum: 6878 a3e177edd667d1b89b2acd0d16529cb2
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_i386.deb
Size/MD5 checksum: 76266 9abde4499ec4919ce1ee6633e2871aad
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_i386.deb
Size/MD5 checksum: 100192 9f3bd2ea757c627fae011129bcf14bae
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_i386.deb
Size/MD5 checksum: 7728 9cf2c4ddfe99f0db67e46e353f39d883
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_i386.deb
Size/MD5 checksum: 33184 fb771a57caaac542a78141efb27f0b0d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_i386.deb
Size/MD5 checksum: 18754 3d19957c59c1ad0698523390fb19c5c7
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_i386.deb
Size/MD5 checksum: 18692 f60e095965045a5bd389b052917dd98f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_i386.deb
Size/MD5 checksum: 6878 53ff4849663f484dd32b1cdcb2015e39
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_i386.deb
Size/MD5 checksum: 21136 218beca3fda1b69bb92ee651c1216a6f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 44658 63ccc17e4a93a71423a1cefccfd032d0
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 147862 b75faf449376d7f8d601e6fb610b28b2
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 6878 d892eeb8581570f4c9b3772d618bbb41
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 109816 5f52dc98ce62c00cfb3dd05ce7ae8ac4
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 10114 98ab7d1303bd6bfbd550bafb712d551f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 23788 f0dd7e45dc8cefc82744622f426a9b16
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 28012 313a36d030a0f2d7e6c1a0ff057e0474
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_ia64.deb
Size/MD5 checksum: 23670 6ae95423f408ff5b431536e4d934e09b
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_mips.deb
Size/MD5 checksum: 6884 20dc9fbb351bf8c8ce0cbaf3625b4175
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_mips.deb
Size/MD5 checksum: 81760 773ab2a44f73d8776f4c773c0f37ff47
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_mips.deb
Size/MD5 checksum: 124568 955cb5ddad18933638b22d022817524a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_mips.deb
Size/MD5 checksum: 35150 ed3d846058245e93aaa8417ff4773761
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_mips.deb
Size/MD5 checksum: 19394 5481da3efe4b88040ea1cc355ff664ac
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_mips.deb
Size/MD5 checksum: 21814 c26ef062bfc68a6fb7f0f19640774a8d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_mips.deb
Size/MD5 checksum: 8112 ef79a0fc7f0425425488845b44ecbd14
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_mips.deb
Size/MD5 checksum: 19340 6ab700571fe303005763cc55fa2a9d47
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 81626 a98cb782eb9ac71dbc7cdc148190d4e8
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 19402 0a22244477b87b572cb864ecb6de5e04
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 21936 8be79200e34bc0772bc11bf440ef8155
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 35924 660a86bbc151ac2326641f0c12d3ba2b
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 6876 39554139fc894f21349284780882ad4e
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 120836 c863a7ee2e9a024d017dc87f1384def5
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 8124 3ebee4b6e23b4eb939c03f52d822dea7
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_mipsel.deb
Size/MD5 checksum: 19396 96746e0f3577918cfbbb3118d78f6424
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 8244 54f6e43f51140bf09f871658da742d4f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 35682 175f7cee84457c57dce1bd3915f9b48b
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 88018 de4c18fbeb549d43de7189023a887b09
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 6880 4ae52c04c9446d42b39a2340ed2e9ae7
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 21996 54f45485b1f88781ee145dcd6847afc3
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 19746 ba53ebc588b12d139e175e6a3b0e2315
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 19596 aece91a5ad82c97d0f6f0b0c75a1e628
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_powerpc.deb
Size/MD5 checksum: 110260 a7f3e9b62fa4dab338af7464562e7f29
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_s390.deb
Size/MD5 checksum: 84426 12adf5edd57f25e8dda31417bffe5277
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_s390.deb
Size/MD5 checksum: 22658 bff8b619d28a2c02c0e0d228b31a2828
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_s390.deb
Size/MD5 checksum: 35816 f057afbbba8dafbc5827dfa504b842b6
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_s390.deb
Size/MD5 checksum: 6872 60905c2b17770da18a483849809dd4b0
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_s390.deb
Size/MD5 checksum: 8194 8102bda398f54234ebeabcb5c2bbcfff
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_s390.deb
Size/MD5 checksum: 19886 120cc50919aefebe724141543173ff6a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_s390.deb
Size/MD5 checksum: 102794 5abef9d9db542efb812b1f40c331fe10
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_s390.deb
Size/MD5 checksum: 19678 07d4fdb3dfe964f7770f99a29a8cc405
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 6882 19e4ec02b0d0a26482db9d1e0d1f168a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 19080 347c0a4835423e986b618c38c4f3586c
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 102236 086d13b5f6c3c17b622135138a0e703d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 21726 0485cac725699e762019d63304762eab
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 33400 4790920e8e38c0484caa4d8b4b6fa74f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 75614 355dc789b011cd3b95485d08fcf093c5
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 19072 73849401eddf1746db3d399f17bdd788
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch2_sparc.deb
Size/MD5 checksum: 7774 533a11e8ddb8bb68a0e2defbeecf6b0c
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJJTQzXAAoJEL97/wQC1SS+ZowH/3qn5mXCDhGve59HqtxW3ngu
M6ylx6jfaL9u8H45+UpTKi+GPB/WCaoJxpZjAdK3xIjpOKR1bSzfnxI0YtDsNsaR
/0nbgWgg3bi6iVNyB5M84mF/BxqOdKrXcNvG/iwXwG+v0v8A8bZ/KeLBD6U14Pkl
79N8/f2INwF1OvnOMWqRDjcYAj65sV9Ez8M8SMZDxQvfK2VNIEItw22th7HAbZ0K
L0sGmrGvVa6KQJ5cuUCZW30jfBS52Jn3GLV7ws1oGlZyMefb1rJslfDKewvpv5IM
3JLj9F6RLluer5eVoUhf8SVM0fgiH3Py0pk5LRN4M5JSSIW5OeW1VD7FZgSZG4c=
=u7OX
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists