lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <87k59rg5nv.fsf@mid.deneb.enyo.de>
Date: Tue, 23 Dec 2008 00:18:44 +0100
From: Florian Weimer <fw@...eb.enyo.de>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1688-2] New courier-authlib packages fix regression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1688-2                  security@...ian.org
http://www.debian.org/security/                           Steffen Joeris
December 22, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : courier-authlib
Vulnerability  : SQL injection
Problem type   : local/remote XXX
Debian-specific: no
CVE Id(s)      : CVE-2008-2380 CVE-2008-2667

The update of courier-authlib in DSA 1688-1 caused a regression with
setups that do not use mail addresses for authentification.  This update
fixes this regression. For reference, the full advisory text is below.

Two SQL injection vulnerabilities have beein found in courier-authlib,
the courier authentification library.  The MySQL database interface used
insufficient escaping mechanisms when constructing SQL statements,
leading to SQL injection vulnerabilities if certain charsets are used
(CVE-2008-2380).  A similar issue affects the PostgreSQL database
interface (CVE-2008-2667).

For the stable distribution (etch), these problems have been fixed in
version 0.58-4+etch3.

For the testing distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 0.61.0-1+lenny1.

We recommend that you upgrade your courier-authlib packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.dsc
    Size/MD5 checksum:      970 eea6bc2a491339d1b06f0d9891906a4f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz
    Size/MD5 checksum:  3342115 75b5b2b72d550048ed1b29e687a1a60d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.diff.gz
    Size/MD5 checksum:    44339 c051936ba955b33ac17bed1a7a062ed6

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:   150150 c1fb3322ef09b7e5592cdb2e0e972e8b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:     6982 fdcfcee4cf7e92463d80fc52c31544c6
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:     8958 d0d7c0c186dc70bf163fb56efdac13e0
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:    92768 ad72b16c890b88f5878b044ba634d743
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:    23274 072c28b73f51ec0c0853d2235cc43f7a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:    20456 9946cb154a436ad185e6ac59d219ee0d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:    20384 add1d85c7f9f1f951110112e57dd941c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_alpha.deb
    Size/MD5 checksum:    39140 eb641b37baca55b34824e6ccc9123604

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:   111930 9eadcaae493d99804507584da9a84ed3
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:    22290 82ddefca4a28ee7b7138b769bdf70a46
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:     8404 17f359e16622de5b346c4b6ec21b46d5
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:    34396 3db1718272c4bd67cd9afb61176d6b93
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:    81536 13269dedb780975742c82e8b132fc1e8
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:    20070 0a0f9a90faff809bf7fcb6828146e1ca
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:     6978 8046f6964e4b80c81bfb18f53a861808
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_amd64.deb
    Size/MD5 checksum:    19874 b6255a89d42af434881f4a70047b35af

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:     6982 883a20dc2aa90969542ec955752bff73
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:    37910 625d55b6bca6443e8a4815948a8be2f1
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:    20838 ddedaa4084343959757826e6bff14bfc
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:    20872 07755a04f444333e80f07b37057fc35a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:     9066 74c2fb5f4c6d5e56d4659746a92a3d51
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:    89204 1b0afa7787fac7d6a28c94f667ced9fe
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:    23672 f01834aacc18dab3bd4b6f6d963df347
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_hppa.deb
    Size/MD5 checksum:   123946 00826c1564cdae69df31a42418562c4c

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_i386.deb
    Size/MD5 checksum:    18984 3ba8eb6f6cca2ee36e0f244c4534ae06
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_i386.deb
    Size/MD5 checksum:    21244 711ee9c10e91535cb95574a40ed003bf
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_i386.deb
    Size/MD5 checksum:     6984 01ce4d9a33afd119261053e902ddf776
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_i386.deb
    Size/MD5 checksum:    76350 01bea1c85a49803f32a641d5c88aa47f
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_i386.deb
    Size/MD5 checksum:    18792 973c61fe45d343a5f6e733583677a660
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_i386.deb
    Size/MD5 checksum:    33270 9b64fa8ef06742b5c3c30b513380ed10
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_i386.deb
    Size/MD5 checksum:     7832 b32c9185e3e953f32198ac39c4b34658
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_i386.deb
    Size/MD5 checksum:   100350 20f136305d113cb313583524d99c2257

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:   109912 f34ccc9736f6f983e3808609effe05d2
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:    28118 83b5b87867515ef4ffb2c7f55d2bfd43
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:     6976 1147d769c809e15bc774ac185f1b8b42
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:    44760 2edbd453344c340ecbce8e7cc6680512
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:    23770 c2482713d38f71c3df161e15266d9cc1
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:    24068 e2e591dcc0b79db504364cff45925c1c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:   148148 aa9a24fe0797adce9743dad4a5a69f11
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_ia64.deb
    Size/MD5 checksum:    10212 9776f4d13b0f55805963dc9ebe0cb775

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_mips.deb
    Size/MD5 checksum:   124734 db5ac1f173860a9a8b0abdb81899eaf5
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_mips.deb
    Size/MD5 checksum:    21922 f905ce6714943afc4f99bde253ad06dd
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_mips.deb
    Size/MD5 checksum:    81866 342671c976b85df7f9cbdcd4e9944fbc
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_mips.deb
    Size/MD5 checksum:     6980 67f98c77898ebe0ad905c87a22df3765
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_mips.deb
    Size/MD5 checksum:     8212 8f102b2250c3d69e28dcc72a50e660b9
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_mips.deb
    Size/MD5 checksum:    19488 a7fc20bcbaafd8d6f0053b41b2e07e5e
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_mips.deb
    Size/MD5 checksum:    19506 782e5bf2a2ba56eba4f9836ffae51125
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_mips.deb
    Size/MD5 checksum:    35230 113b19cb398cdd1d9599a0cc21887e0c

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:    19500 69d3c6a55491a2b05e8e45a4dfb44c09
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:    22040 c20f1e9c94a4fb18fd395faea3166422
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:   120978 709261a8c1f12aa3a2c41f7927277219
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:    81726 30bd7b0c49f3c2e061dfd334a4228480
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:     6984 1abad4411b157633529b23495a10dbf9
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:    19534 423fc50987ba31f0fc36f9fa6b1a1996
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:    36020 b2503eacfd49e69405e0523b2116a05b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_mipsel.deb
    Size/MD5 checksum:     8228 f3394eef4fe9fd4415b04398a434fd09

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:    88110 26ab00dd8ee3fc7614aec67c46672621
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:    19706 e3a473111e423e8238da8fa1e9fcc5f2
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:     8352 b5a2f944ca239eb5a333a8da10a8b745
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:    19890 22eab317e0e2158d748f9241f7aed0a3
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:    35768 8a1a598aed19939add47f6e65149c97d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:     6980 0a5425ab814688d31b2d773941e5b56a
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:   110380 0e1c65ff5693adb9b0865aaba67bd5da
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_powerpc.deb
    Size/MD5 checksum:    22104 4ee5709bc224137a1733e75966c305dd

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_s390.deb
    Size/MD5 checksum:     8288 7d1547a5ddade9332cfd1dc618fd65dc
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_s390.deb
    Size/MD5 checksum:     6970 a1b9b7c977b68a50d3736d669f88bb8b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_s390.deb
    Size/MD5 checksum:   102932 519d077f2a54fd34f3f9f86151ff2a85
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_s390.deb
    Size/MD5 checksum:    22768 91530b8b45b0c792a2430cafc8502c2b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_s390.deb
    Size/MD5 checksum:    19778 c3252ded11e8694ac91f7458e54a0364
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_s390.deb
    Size/MD5 checksum:    84534 9d9b385748427bcd4a240365d5da651b
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_s390.deb
    Size/MD5 checksum:    20034 337f77aa4ddd3f32af8dac532bdef1d3
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_s390.deb
    Size/MD5 checksum:    35918 570f14e13e5541253b014dc5f707475e

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:    33484 8dab32a63b1fc4ded9fbfdde33ef3639
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:   102396 8a2f9a0f833510ef53375926befda961
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:     6988 9b01eba47daf823d4f1198a90b784c6c
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:    75698 09c45f6116ca18e48c8e3702dada54b1
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:     7878 3009ba4c1c2f042b5fe7e5e9ad4655b6
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:    19218 64ed92e3620a8c3eb44a3655a93cf51d
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:    21830 97997f7a1fde6c52f7d7ddffdbe66724
  http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_sparc.deb
    Size/MD5 checksum:    19170 fe45e9811a4f95cd469f7f1dbd607098


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJUCBIAAoJEL97/wQC1SS+BVsH/335R5WqInHRraHk0JE3Owzt
qV5xBgjWXnU7cxKEvsPmvhYanJs6kjd24S5d9GOQVVZhKS6zC6ToH+u7GwOnYChR
+kLdtLziYSx8mcZUtrjWeL/iYaE3xClRTROgfYUXrMJ2RawU4kUgx7nxTPwF76ei
axmURM4ImgoxVF7fMRRIoX/pgvl3dGoUPdzCepxTrrdjqfUhXZCaQ8l7xikKVcGV
71oM7szbhZL6QIBxY2G4Oa/LByuj1UOSfo9y0M4+V46KyFYBjjKbzbqNpo2agLU+
7LR0mtk7dYvVDDdr/gDBcTJ0y8UCkrJ3SVTJqHVXHx8CrDikc5IfOqEd+1sWA1g=
=0+3H
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ