copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2009.1420 - [Debian] postgresql-ocaml, mysql-ocaml & pygresql: Multiple vulnerabilities

Date: 15 October 2009

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1420
          New postgresql-ocaml, mysql-ocaml & pygresql  packages
                          provide secure escaping
                              15 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           postgresql-ocaml
                   mysql-ocaml
                   pygresql
Publisher:         Debian
Operating System:  Debian GNU/Linux 4
                   Debian GNU/Linux 5
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2943 CVE-2009-2942 CVE-2009-2940

Original Bulletin: 
   http://www.debian.org/security/2009/dsa-1909
   http://www.debian.org/security/2009/dsa-1910
   http://www.debian.org/security/2009/dsa-1911

Comment: This bulletin contains three (3) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1909-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
October 14, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : postgresql-ocaml
Vulnerability  : missing escape function
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2009-2943


It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's
libpq, was missing a function to call PQescapeStringConn(). This is
needed, because PQescapeStringConn() honours the charset of the
connection and prevents insufficient escaping, when certain multibyte
character encodings are used. The added function is called
escape_string_conn() and takes the established database connection as a
first argument. The old escape_string() was kept for backwards
compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.


For the stable distribution (lenny), this problem has been fixed in
version 1.7.0-3+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 1.5.4-2+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.12.1-1.


We recommend that you upgrade your postgresql-ocaml packages.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Debian (oldstable)
- - ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.5.4.orig.tar.gz
    Size/MD5 checksum:    37091 0f2440dee5ba424e5f2e80b9e1985aac
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.5.4-2+etch1.dsc
    Size/MD5 checksum:      796 fcde6e827e7965128479af66b5f36640
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.5.4-2+etch1.diff.gz
    Size/MD5 checksum:     5422 9955c633c0ba5c6082adab763b02dd81

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_alpha.deb
    Size/MD5 checksum:    65992 15af26342b66bfc2da16758ceec7d973
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_alpha.deb
    Size/MD5 checksum:    12184 c94c1fbb5c2b30baf76b54335899fdb2

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_amd64.deb
    Size/MD5 checksum:    11652 a7e8bebb72e6f8192a5cad99fd133bcc
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_amd64.deb
    Size/MD5 checksum:    56826 ef65e7f49d2367fc488a22e3b3b06850

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_arm.deb
    Size/MD5 checksum:    57254 3c612cb5e6a9fce235884a3ecaf2cda6
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_arm.deb
    Size/MD5 checksum:     9632 361b04c9010ab69b99ca03aa9eb8ee19

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_hppa.deb
    Size/MD5 checksum:    11536 e347d8c6e10c2f58727ef0f99fbec29e
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_hppa.deb
    Size/MD5 checksum:    37706 c515f78761b5bc8e1a193b6282c8c685

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_i386.deb
    Size/MD5 checksum:    55088 5236535c706517466fd0c5005f27f5df
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_i386.deb
    Size/MD5 checksum:    10708 5cc8f746984d0a5dc6fe6515f798352f

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_ia64.deb
    Size/MD5 checksum:    70342 1963272ac4eb736025c74bec49d21252
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_ia64.deb
    Size/MD5 checksum:    13408 ceceb8785ca67033b906a5bbdcfb3816

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_mips.deb
    Size/MD5 checksum:    10550 ed2eba369cd295521a8b706c3402ed53
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_mips.deb
    Size/MD5 checksum:    36922 cd5d3fd3ef7ed3f5b7f28fcbdcb38f54

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_mipsel.deb
    Size/MD5 checksum:    10502 2692a552a66911e5e49805a9a37d7760
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_mipsel.deb
    Size/MD5 checksum:    36858 6e9ca0073b222a0a0b3049e6c85d919c

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_powerpc.deb
    Size/MD5 checksum:    11746 b19f3ce9de91c58d784d758a8b7aba4d
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_powerpc.deb
    Size/MD5 checksum:    60820 e04f4fa7c6ffa370c76c5f6a5df3f618

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_s390.deb
    Size/MD5 checksum:    12156 8a98242d666d976a5cfabd7a7044d136
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_s390.deb
    Size/MD5 checksum:    37152 2497bdd2fb753146491197b588f21269

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.5.4-2+etch1_sparc.deb
    Size/MD5 checksum:     9840 dafe39256eb4570aa367089762dbdf36
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.5.4-2+etch1_sparc.deb
    Size/MD5 checksum:    60104 9adc5f0645a24a4b92325595ba8c0552


Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Debian (stable)
- - ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.7.0-3+lenny1.dsc
    Size/MD5 checksum:     1464 af736cb504a122eb488b42324033073f
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.7.0-3+lenny1.diff.gz
    Size/MD5 checksum:     5748 8a086c9db7ca5be802b03caedd1d9914
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/postgresql-ocaml_1.7.0.orig.tar.gz
    Size/MD5 checksum:    38398 679322c7c7890805a37f7765c4b8f695

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_alpha.deb
    Size/MD5 checksum:    57672 2f787af347ad3cfb4d38dd11991a79c2
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_alpha.deb
    Size/MD5 checksum:    14448 75907d30cb91a964713e816f8f0dc7ed

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_amd64.deb
    Size/MD5 checksum:    13840 18b8f028d932263f2ea664d9073d2e93
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_amd64.deb
    Size/MD5 checksum:    74842 862fc3a2c78a37f5d5319fa26ff395c3

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_arm.deb
    Size/MD5 checksum:    53154 e0fd01bb50373e6516a700e4a93207c9
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_arm.deb
    Size/MD5 checksum:    11256 8ae4ba77e2ca6ff37428eafcfd2127f3

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_armel.deb
    Size/MD5 checksum:    11306 aded1f1a2ecb1b570b5466824ecf506d
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_armel.deb
    Size/MD5 checksum:    53826 ee8e2e91e7f07c68932c877be7d5882e

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_hppa.deb
    Size/MD5 checksum:    55740 602e9d0d203bda43537df8ea7a8cce8f
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_hppa.deb
    Size/MD5 checksum:    13336 c4e0cf3675baf4a472606ab2149c8c3d

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_i386.deb
    Size/MD5 checksum:    71974 e22ca1163b616029eb3203ab9a83f57f
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_i386.deb
    Size/MD5 checksum:    12358 879cfbff241a2b658f2cafc70fbc26e9

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_ia64.deb
    Size/MD5 checksum:    15826 5d918a9811f7a5494a6fb42b7471032f
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_ia64.deb
    Size/MD5 checksum:    56718 aac510279b15caba5d3a2898b6e5ad22

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_mips.deb
    Size/MD5 checksum:    11956 58b8c5c0fe6f5d8308ef455d9c3629b1
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_mips.deb
    Size/MD5 checksum:    54194 cf205c120e7d340caea0c6ab40e6fdad

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_mipsel.deb
    Size/MD5 checksum:    54668 9774393d80fda8f3afa41e5350767a5a
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_mipsel.deb
    Size/MD5 checksum:    11918 75bc39f75ae92d90c12be56e33af1dcf

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_powerpc.deb
    Size/MD5 checksum:    14972 2addc8ca023ebd60ab39c4454daa1730
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_powerpc.deb
    Size/MD5 checksum:    79472 bb0ea2d94f065409f66f3436897477c0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_s390.deb
    Size/MD5 checksum:    14298 fb4aec5493a4b06bf17befbdab8a9a3d
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_s390.deb
    Size/MD5 checksum:    55212 c11d2dceae4c5d09c92c793b6d810e91

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml_1.7.0-3+lenny1_sparc.deb
    Size/MD5 checksum:    11480 3b8f3c866dc73cddd0905768a7f137a5
  http://security.debian.org/pool/updates/main/p/postgresql-ocaml/libpostgresql-ocaml-dev_1.7.0-3+lenny1_sparc.deb
    Size/MD5 checksum:    77672 a9b0fa3cd51538dfeaaa2e5da8ac92b7


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrWZ4AACgkQ62zWxYk/rQfOgACgiWnpVG4WWSOogYT547H6I+F/
2tMAnjDhfvrLKbZjtOSfQvonCpZX6W7a
=ZDIi
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1910-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
October 14, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : mysql-ocaml
Vulnerability  : missing escape function
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2009-2942


It was discovered that mysql-ocaml, OCaml bindings for MySql, was
missing a function to call mysql_real_escape_string(). This is needed,
because mysql_real_escape_string() honours the charset of the connection
and prevents insufficient escaping, when certain multibyte character
encodings are used. The added function is called real_escape() and
takes the established database connection as a first argument. The old
escape_string() was kept for backwards compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.


For the stable distribution (lenny), this problem has been fixed in
version 1.0.4-4+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 1.0.4-2+etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon.


We recommend that you upgrade your mysql-ocaml packages.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Debian (oldstable)
- - ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-2+etch1.diff.gz
    Size/MD5 checksum:     4922 747ef04d7a1889198ec4dbf74c67b2f9
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-2+etch1.dsc
    Size/MD5 checksum:     1330 7fc48e4dcd193742a45c876fd526a57b

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_amd64.deb
    Size/MD5 checksum:    11790 fd99b55a5cd4b4a31ab19be4bcb381b1
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_amd64.deb
    Size/MD5 checksum:    56456 be0d2ab9fff0963365ebd00ad292a099

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_mips.deb
    Size/MD5 checksum:    41052 0e192c84931718413f68bbbeecaae8de
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_mips.deb
    Size/MD5 checksum:    11188 cfe215c414389beb6e209e0b1ad53836

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_mipsel.deb
    Size/MD5 checksum:    41082 b5f411607c26b4ba66fdf5ca3fafdc1e
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_mipsel.deb
    Size/MD5 checksum:    11212 55dbbcd2aaf1ce70c5f29ca294ab7c2f

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-2+etch1_sparc.deb
    Size/MD5 checksum:    56836 945b6f4cdddd98413031a91a14e48da7
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-2+etch1_sparc.deb
    Size/MD5 checksum:    10650 8c92747279818c517a0ebf6873fa01a3


Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Debian (stable)
- - ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-4+lenny1.dsc
    Size/MD5 checksum:     1912 30bca56e3d5818eaca5bb7fde48fb7c4
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4-4+lenny1.diff.gz
    Size/MD5 checksum:     5094 99ca09aea5510a14cd9c89ef3df7db7b
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/mysql-ocaml_1.0.4.orig.tar.gz
    Size/MD5 checksum:   119584 76f1282bb7299012669bf40cde78216b

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_alpha.deb
    Size/MD5 checksum:    42870 8e8dbef7120c2ccfe7f4afc8c651f774
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_alpha.deb
    Size/MD5 checksum:    12474 bc239d611ee379d53d58f3d944e26fc9

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_amd64.deb
    Size/MD5 checksum:    12120 e1f9170e413ad492963b3ac2b6a16f61
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_amd64.deb
    Size/MD5 checksum:    56758 6fb0e8f0e769fbaa89ea7fe437b07092

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_arm.deb
    Size/MD5 checksum:    40652 4295ce0a1490f805d73202c0c3d6b2e3
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_arm.deb
    Size/MD5 checksum:    10806 b05ecd665ba9ec10053693a9f1eef6d7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_hppa.deb
    Size/MD5 checksum:    12252 7f093c8f69af100652d011a5319a126e
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_hppa.deb
    Size/MD5 checksum:    41658 d68829d26c2d5ecd82b097d1afcafd00

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_i386.deb
    Size/MD5 checksum:    10878 c881ca9eaed7d094fb06b045a36badcc
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_i386.deb
    Size/MD5 checksum:    55498 7a66df77e3c9bfdb4ec9161df99b2f44

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_ia64.deb
    Size/MD5 checksum:    43270 a590fda7ec241c5adb63e8012d93a6a7
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_ia64.deb
    Size/MD5 checksum:    14436 4adff7114ee2600c6086fb456f349d3b

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_mips.deb
    Size/MD5 checksum:    41192 9725b31a8355ecddfe3ac6c724388b8d
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_mips.deb
    Size/MD5 checksum:    11328 ab2c5ce069b593de640e8e27eabc016b

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_mipsel.deb
    Size/MD5 checksum:    11322 f7f39aeabc1949645f5bdbb553d595e4
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_mipsel.deb
    Size/MD5 checksum:    41186 83e2b0503b5cc38a3733c5aa76a45c2a

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_powerpc.deb
    Size/MD5 checksum:    13948 4f741865f6ad0d5231d210f64f61f449
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_powerpc.deb
    Size/MD5 checksum:    58050 e824b11167cdddee268e065dca840956

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_s390.deb
    Size/MD5 checksum:    41336 2fc7ab920f715a357875964cf57412a6
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_s390.deb
    Size/MD5 checksum:    12424 a6c5e84d7791f8f5c9566aa4ae63d01f

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml_1.0.4-4+lenny1_sparc.deb
    Size/MD5 checksum:    10872 c08d9014b06dee09a59bf8b589e28718
  http://security.debian.org/pool/updates/main/m/mysql-ocaml/libmysql-ocaml-dev_1.0.4-4+lenny1_sparc.deb
    Size/MD5 checksum:    56922 0fa317d9c532db33bb13eea54df1f577


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrWZ+cACgkQ62zWxYk/rQdgvgCglPkog9b6HpCHiSdinSu373if
BdwAnRoX39m2Kn8b/7ksyW5wTjimJlex
=mDyj
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1911-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
October 14, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : pygresql
Vulnerability  : missing escape function
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2009-2940


It was discovered that pygresql, a PostgreSQL module for Python, was
missing a function to call PQescapeStringConn(). This is needed, because
PQescapeStringConn() honours the charset of the connection and prevents
insufficient escaping, when certain multibyte character encodings are
used. The new function is called pg_escape_string(), which takes the
database connection as a first argument. The old function
escape_string() has been preserved as well for backwards compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.


For the stable distribution (lenny), this problem has been fixed in
version 1:3.8.1-3+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 1:3.8.1-1etch2.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1:4.0-1.


We recommend that you upgrade your pygresql packages.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Debian (oldstable)
- - ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-1etch2.dsc
    Size/MD5 checksum:      694 086a34b31967d51ff8ca7a8804d39a91
  http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-1etch2.diff.gz
    Size/MD5 checksum:     4253 f32240024a278f6650b4342a0ebcbb71

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_alpha.deb
    Size/MD5 checksum:    93958 dbf107badf6bf7c7b0b2820141e42ef2

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_amd64.deb
    Size/MD5 checksum:    92400 ea6b668eab27ad64d2e7b02e4affc727

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_arm.deb
    Size/MD5 checksum:    90130 7b15f232b3dc6facd956eb7fca1bd4e5

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_i386.deb
    Size/MD5 checksum:    90362 eaec4a360b3af5e4c334126cf870f4fc

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_ia64.deb
    Size/MD5 checksum:    98092 488b3090825b958784a5ee748899f337

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_mips.deb
    Size/MD5 checksum:    88844 92b80b8485000c7170959b1b10aa93a4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_mipsel.deb
    Size/MD5 checksum:    88586 8b64c4326529429d0bd1fbff149eb471

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_powerpc.deb
    Size/MD5 checksum:    91086 653410357846b7870f33d93fc87e7348

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_s390.deb
    Size/MD5 checksum:    91506 e3ad96489ac5acaf13d850a01027b8c8

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-1etch2_sparc.deb
    Size/MD5 checksum:    89030 a82665887545c1ef1d30f3aa55be7804

Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Debian (stable)
- - ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-3+lenny1.diff.gz
    Size/MD5 checksum:     4466 a1c2ce06c800d605bfe14bcfe2dd0827
  http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1.orig.tar.gz
    Size/MD5 checksum:    81186 5575979dac93c9c5795d7693a8f91c86
  http://security.debian.org/pool/updates/main/p/pygresql/pygresql_3.8.1-3+lenny1.dsc
    Size/MD5 checksum:     1124 269418b4532c90f057bd22e5858a2997

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_alpha.deb
    Size/MD5 checksum:   114256 5704221569e20111cf6672ece0d11682
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_alpha.deb
    Size/MD5 checksum:   156386 fa17c555e61b71463de456db3c51ae84

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_amd64.deb
    Size/MD5 checksum:   159238 128f1c3033bde64f9a11f5e913d9d973
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_amd64.deb
    Size/MD5 checksum:   115328 fe068a81f497f69a6ad19d495e652e2b

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_arm.deb
    Size/MD5 checksum:   109312 25c5b281ea33146beb5a59666aba47ac
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_arm.deb
    Size/MD5 checksum:   144480 ca940db2975633c04b5c2fe87274e8ea

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_armel.deb
    Size/MD5 checksum:   149678 957232bd77ffab3671bf785476ea87da
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_armel.deb
    Size/MD5 checksum:   111126 705dea69876757df26bc42e74dd17226

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_hppa.deb
    Size/MD5 checksum:   117048 c47c89646f2bc572d5fee685876e639f
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_hppa.deb
    Size/MD5 checksum:   155300 c864943c790f0a79b2da3034d51a94fa

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_i386.deb
    Size/MD5 checksum:   108626 d27c445d00283fe59fb6a54cfaaa4156
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_i386.deb
    Size/MD5 checksum:   142506 b1d7283270efa735daf705a7825981e7

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_ia64.deb
    Size/MD5 checksum:   160656 45f6874fdc6f520dbe1932a9acbbdc1e
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_ia64.deb
    Size/MD5 checksum:   125206 261caf7cc1e302d67b1d4c8f44fdca5e

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_mips.deb
    Size/MD5 checksum:   149858 3ab427dbe8851bdc5710d5be170e87b4
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_mips.deb
    Size/MD5 checksum:   106876 519d15036e48482c9bf6ba13a45df864

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_mipsel.deb
    Size/MD5 checksum:   107182 e89c124b98cf43149ef29bf0c7376e37
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_mipsel.deb
    Size/MD5 checksum:   147822 36818301f82c6b208a12dfffcb12abaa

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_powerpc.deb
    Size/MD5 checksum:   158920 24d9e6552bc85adbeec92f88cfb7c5cf
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_powerpc.deb
    Size/MD5 checksum:   114592 67797adf90fa321b296f7c6755622802

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_s390.deb
    Size/MD5 checksum:   156980 636e256ccfc7f06b6b41cd74492a9593
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_s390.deb
    Size/MD5 checksum:   113766 0cca0ff55e531f246f10009322b62bb2

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql-dbg_3.8.1-3+lenny1_sparc.deb
    Size/MD5 checksum:   137180 050359d747dd8afce46c3309967af260
  http://security.debian.org/pool/updates/main/p/pygresql/python-pygresql_3.8.1-3+lenny1_sparc.deb
    Size/MD5 checksum:   108528 40ca765a94813cefaf2a4c77597f8155


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrWaMoACgkQ62zWxYk/rQf/zwCghxp/ePtKAvbJzVkOzA61Fr+S
yX0AoLx/HrVSipHkUaHfmybLYtbToOna
=B2p/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK1oyUNVH5XJJInbgRAleyAKCEOTR+VOV8YrBQwZYUy6Fsz7RAlACfZ0EJ
W7XOI05rXD6Cj2NeGLO+eQs=
=u9OV
-----END PGP SIGNATURE-----