Package: dovecot-common Severity: important Version: 1.0.beta3-3 Tags: security
Hi! Recently, a security hole has been discovered in PostgreSQL client applications, see http://www.postgresql.org/docs/techdocs.50 for details. In short, using \' for quote escaping is insecure and now not allowed any more in some encodings which are prone to this SQL injection attack. This has been assigned CVE-2006-2314. src/lib/strescape.c, str_escape() currently uses \' to escape quoting. This function is also used to escape SQL queries, which makes it vulnerable against this attack with earlier PostgreSQL versions, and will break with the current one (since it disables this method of quote escaping by default in affected client encodings). The database query quoting should be changed to use '' instead of \', but a better fix is to completely replace custom quoting with an invocation of PQescapeString() from libpq. Please be aware that this also affects other database backends in principle (unless they do not support the affected encodings). Also, '' is the SQL standard escape for ', not \'. Please also pass this to upstream. Thank you! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
