FYI (Fw: [CLA-2001:427] Conectiva Linux Security Announcement - mod_auth_pgsql) - Mailing list pgsql-general
From | Steve Wolfe |
---|---|
Subject | FYI (Fw: [CLA-2001:427] Conectiva Linux Security Announcement - mod_auth_pgsql) |
Date | |
Msg-id | 003501c14839$98dadae0$50824e40@iboats.com Whole thread Raw |
List | pgsql-general |
I imagine that some here are using mod_auth_pgsql, and thought that I'd pass this along for those who aren't subscribed to Bugtraq. While this is a Conective security announcement, it looks like all versions of mod_auth_pgsql are vulnerable that were downloaded before the 25th or 26th. steve > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ---------------------------------------------------------------------- ---- > CONECTIVA LINUX SECURITY ANNOUNCEMENT > - ---------------------------------------------------------------------- ---- > > PACKAGE : mod_auth_pgsql > SUMMARY : Remote vulnerability allows an attacker to bypass authentication > DATE : 2001-09-28 11:26:00 > ID : CLA-2001:427 > RELEVANT > RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 > > - ---------------------------------------------------------------------- --- > > DESCRIPTION > "mod_auth_mysql" is an authentication module for apache which > authenticates users against a PostgreSQL database. > RUS-CERT discovered a vulnerability[1][3] in several Apache > authentication modules which use SQL databases to retrieve user > information. This vulnerability allows a remote attacker to change > the query that the module sends to the SQL server and circumvent the > authentication process. > This vulnerability is *still* present in the 0.9.6 version in a > slightly different fashion: > > Username: '';; select ''bla > Password: bla > > The author has been notified and released version 0.9.9 on Sep 25th > to address this problem[2]. > Additionally, this is also a bugfix update for this package, which > wasn't linked against the PostgreSQL libraries in our previous > releases. > > > SOLUTION > It is recommended that all mod_auth_pgsql users upgrade the package. > All versions released here, even being older, have patches to address > this problem. The update for the 0.8 version also contains the > snprintf() patches from Erik Rossen. > > IMPORTANT: it is necessary to restart the Apache web server after > updating these packages. > > > REFERENCES > 1. http://cert.uni-stuttgart.de/advisories/apache_auth.php > 2. http://www.giuseppetanzilli.it/mod_auth_pgsql/ > 3. http://www.securityfocus.com/bid/3251 > > > DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES > ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/mod_auth_pgsql-0.8-4U40_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/4.0/i386/mod_auth_pgsql-0.8-4U40_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/mod_auth_pgsql-0.8-4U40_3c l.src.rpm > ftp://atualizacoes.conectiva.com.br/4.0es/i386/mod_auth_pgsql-0.8-4U40_3cl .i386.rpm > ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mod_auth_pgsql-0.8-4U41_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_auth_pgsql-0.8-4U41_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mod_auth_pgsql-0.8-4U42_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_auth_pgsql-0.8-4U42_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mod_auth_pgsql-0.8-4U50_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_auth_pgsql-0.8-4U50_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mod_auth_pgsql-0.8-4U51_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_auth_pgsql-0.8-4U51_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mod_auth_pgsql-0.8-4U60_3cl. src.rpm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mod_auth_pgsql-0.8-4U60_3cl.i 386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_auth_pgsql-0.9.6-1U70_2c l.src.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_auth_pgsql-0.9.6-1U70_2cl .i386.rpm > ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mod_auth_p gsql-0.8-4U50_3cl.src.rpm > ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mod_auth_pg sql-0.8-4U50_3cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mod_auth_pg sql-0.8-4U50_3cl.src.rpm > ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mod_auth_pgs ql-0.8-4U50_3cl.i386.rpm > > > ADDITIONAL INSTRUCTIONS > Users of Conectiva Linux version 6.0 or higher may use apt to perform > upgrades of RPM packages: > - add the following line to /etc/apt/sources.list if it is not there yet > (you may also use linuxconf to do this): > > rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates > > (replace 6.0 with the correct version number if you are not running CL6.0) > > - run: apt-get update > - after that, execute: apt-get upgrade > > Detailed instructions reagarding the use of apt and upgrade examples > can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
pgsql-general by date: