Bugtraq mailing list archives
rPSA-2006-0080-1 postgresql postgresql-server
From: "Justin M. Forbes" <jmforbes () rpath com>
Date: Wed, 24 May 2006 17:05:56 -0400
rPath Security Advisory: 2006-0080-1 Published: 2006-05-24 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Local System User Deterministic Vulnerability Updated Versions: postgresql=/conary.rpath.com@rpl:devel//1/8.1.4-1-0.1 postgresql-server=/conary.rpath.com@rpl:devel//1/8.1.4-1-0.1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314 http://bugs.rpath.com/show_bug.cgi?id=1159 http://www.postgresql.org/docs/techdocs.49 http://www.postgresql.org/docs/techdocs.50 http://developer.postgresql.org/docs/postgres/release-8-1-4.html Description: Previous versions of postgresql server and client libraries contain weaknesses parsing certain character encodings (UTF-8, SJIS, BIG5, GBK, GB18030, or UHC, but not ASCII) which, when using the vulnerable encodings, can enable SQL injection attacks against applications (particularly web applications) which use non-standard escaping of quote characters. Because vulnerable escaping of quote characters is no longer allowed, some existing applications may not function correctly when used with the new release of postgresql.
Current thread:
- rPSA-2006-0080-1 postgresql postgresql-server Justin M. Forbes (May 26)