Bug#355180: pam-pgsql: Memory leak / possible SIGSEGV

Thank you. Primoz Bratanic On Fri, 2006-03-03 at 13:00 +0100, [EMAIL PROTECTED] wrote: > Package: pam-pgsql > Severity: normal > Tags: patch > > > pam-pgsql doesn't free memory allocated in mhash_end function. It is not > clearly stateed in libmhash documentatio

Bug#323052: pam-pgsql: FTBFS: libpq-fe.h: No such file or directory

Thank you for your report. I'm waiting for my sponsor to get back from vacation. Then I'll be able to upload version compatible with new directory structure of postgresql libraries in Debian. Regards, Primoz Bratanic On Sun, 2005-08-14 at 14:22 +0200, Andreas Jochens wrote: >

Bug#315432: password component doesn't handle use_first_pass argument

deprecated) so .. instead of "use_first_pass" use "use_authtok". Primoz Bratanic -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#308031: mailutils: woody is affected too

Package: mailutils Followup-For: Bug #308031 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Woody is affected too. Just check MySql/MySql.c (just that there is no escaping ... ) - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimenta

Bug#308031: mailutils: sql injection vulnerability in sql authentication module

ection. Solution: add \ to list of characters to be escaped. Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=en_US.UT

Bug#307863: pam: Overwriting passwords in memory

Package: pam Severity: wishlist Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It may be prudent to see practice from package "shadow" of zeroing passwords in any form immediately after no longer needing it, copied to PAM. pam_unix would be a nice place to start. Primo

Bug#307861: pam-mysql: Overwriting passwords in memory

Package: pam-mysql Severity: wishlist Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you went over trouble of overwriting encrypted password in memory with zeros (pam_mysql.c line 535-537), why don't overwrite plaintext passwords as well? Primoz Bratanic -BEGI

Bug#307796: xtradius: sql injection in authmysql

Package: xtradius Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is no user input verification whatsoever. In /contrib/authmysql/authmysql.c username supplied by user is fed directly to database. Primoz Bratanic

Bug#307784: pam-pgsql: CAN-2004-0366

regarding sql injection problem with changing password (easy impact would be changing uid to 0 ... root compromise). Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686)

Bug#307720: freeradius: Few possible security problems

ied data (username ...), this may result in SQL injection. This is also hard to exploit as user has to be authenticated already before any of these sql statements can get executed. Primoz Bratanic - -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstab

Bug#290833: dbmail-pgsql: Inconsistent escaping of user supplied data in dbauthpgsql.c

Package: dbmail-pgsql Version: 1.2.11 Severity: grave Tags: security Justification: user security hole -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In pgsql/dbauthpgsql.c escaping is not consistent. Sometimes username and other user supplied values are escaped and sometimes like in: aut