Advisories (MDKSA-2006:098 ): postgresql

[aru]

Mandriva Advisories MDKSA-2006:098 : postgresql

 

Updated postgresql packages fixes SQL injection vulnerabilities.

June 7th, 2006

 

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,

 

7.3.x before 7.3.15, and earlier versions allows context-dependent

 

attackers to bypass SQL injection protection methods in applications

 

via invalid encodings of multibyte characters, aka one variant of

 

"Encoding-Based SQL Injection." (CVE-2006-2313)

 

 

 

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13,

 

7.3.x before 7.3.15, and earlier versions allows context-dependent

 

attackers to bypass SQL injection protection methods in applications

 

that use multibyte encodings that allow the "" (backslash) byte 0x5c to

 

be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK,

 

GB18030, and UHC, which cannot be handled correctly by a client that does

 

not understand multibyte encodings, aka a second variant of "Encoding-Based

 

SQL Injection." NOTE: it could be argued that this is a class of issue

 

related to interaction errors between the client and PostgreSQL, but a

 

CVE has been assigned since PostgreSQL is treating this as a preventative

 

measure against this class of problem. (CVE-2006-2314)

 

 

 

Packages have been patched or updated to correct these issues.

 

 

The released versions of Mandriva GNU/Linux affected are:

• CS3.0
  
• 10.2
  
• 2006.0
  

Full information about this advisory, including the updated packages, is available at:

www.mandriva.com/security/advisories?name=MDKSA-2006:098

 

Other references:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2313

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2314

 

Posted automatically by aru (mdksec2mub v: mdksec2mub,v 1.2 2006/06/01 20:04:28 pituko Exp $)