Your message dated Thu, 21 Sep 2006 02:05:19 +0200
with message-id <[EMAIL PROTECTED]>
and subject line [vendor-sec] Question about PostgreSQL SQL injection fix in
7.6.86
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: pike7.2
version: 7.2.580-3.1
severity: grave
tags: security
A vulnerability has been found in pike which is also present in sarge.
See
http://secunia.com/advisories/20494/
--- End Message ---
--- Begin Message ---
Version: 7.6.87-1
On Mon, Sep 04, 2006 at 10:58:19AM +0200, Martin Pitt wrote:
> I found this in CVS:
I've been trying to look through this, but it's all rather convoluted. First,
Debian (at least sid) doesn't ship 7.6.86, it ships something it labels
7.6.87, which is described in the changelog as "the latest CVS snapshot"
(taken June 4th).
> ----------------------------
> /cvs/Pike/7.6/lib/modules/Sql.pmod/Sql.pike
> revision 1.26
> date: 2006/06/06 03:25:59; author: adam; state: Exp; lines: +4 -2
> Make Sql.postgres objects use the safe quote() method if available.
This makes no sense to me. Sql.pike in upstream CVS (see
http://pike.ida.liu.se/development/cvs/log.xml?file=7.6/lib/modules/Sql.pmod/Sql.pike&module=Pike
) has no such commit ever; however, postgres.pike has one with that date and
comment. I also looked in the 7.7 repository, just in case --
http://pike.ida.liu.se/development/cvs/log.xml?file=7.7/lib/modules/Sql.pmod/Sql.pike&module=Pike
-- but the same there. I can't really find anything related to these issues
in Sql.pike, really. Thus, I assume it was just a paste error somehow, as
1.26 (which we have in our CVS snapshot) seems like a sane diff to me.
> /cvs/Pike/7.6/src/modules/Postgres/
> revision 1.25
> date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +5 -2
> backport SQL injection fix from 7.7
>
> revision 1.40
> date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +39 -2
> backport SQL injection fix from 7.7
These seem to match the changelogs for
/cvs/Pike/7.6/src/modules/Postgres/postgres.c -- we already have 1.42 in our
snapshot.
Thus, I conclude that this is already fixed in Debian's 7.6.87, if only by
sheer accident, and I'm closing this to reduce the RC bug count for etch by
one. :-)
/* Steinar */
--
Homepage: http://www.sesse.net/
--- End Message ---
