From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1688-2 [email protected] http://www.debian.org/security/ Steffen Joeris December 22, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : courier-authlib
Vulnerability : SQL injection
Problem type : local/remote XXX
Debian-specific: no
CVE Id(s) : CVE-2008-2380 CVE-2008-2667

The update of courier-authlib in DSA 1688-1 caused a regression with
setups that do not use mail addresses for authentification. This update
fixes this regression. For reference, the full advisory text is below.

Two SQL injection vulnerabilities have beein found in courier-authlib,
the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements,
leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database
interface (CVE-2008-2667).

For the stable distribution (etch), these problems have been fixed in
version 0.58-4+etch3.

For the testing distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 0.61.0-1+lenny1.

We recommend that you upgrade your courier-authlib packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.dsc
Size/MD5 checksum: 970 eea6bc2a491339d1b06f0d9891906a4f
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz
Size/MD5 checksum: 3342115 75b5b2b72d550048ed1b29e687a1a60d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.diff.gz
Size/MD5 checksum: 44339 c051936ba955b33ac17bed1a7a062ed6

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 150150 c1fb3322ef09b7e5592cdb2e0e972e8b
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 6982 fdcfcee4cf7e92463d80fc52c31544c6
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 8958 d0d7c0c186dc70bf163fb56efdac13e0
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 92768 ad72b16c890b88f5878b044ba634d743
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 23274 072c28b73f51ec0c0853d2235cc43f7a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 20456 9946cb154a436ad185e6ac59d219ee0d
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 20384 add1d85c7f9f1f951110112e57dd941c
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_alpha.deb
Size/MD5 checksum: 39140 eb641b37baca55b34824e6ccc9123604

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 111930 9eadcaae493d99804507584da9a84ed3
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 22290 82ddefca4a28ee7b7138b769bdf70a46
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 8404 17f359e16622de5b346c4b6ec21b46d5
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 34396 3db1718272c4bd67cd9afb61176d6b93
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 81536 13269dedb780975742c82e8b132fc1e8
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 20070 0a0f9a90faff809bf7fcb6828146e1ca
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 6978 8046f6964e4b80c81bfb18f53a861808
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_amd64.deb
Size/MD5 checksum: 19874 b6255a89d42af434881f4a70047b35af

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_hppa.deb
Size/MD5 checksum: 6982 883a20dc2aa90969542ec955752bff73
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_hppa.deb
Size/MD5 checksum: 37910 625d55b6bca6443e8a4815948a8be2f1
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_hppa.deb
Size/MD5 checksum: 20838 ddedaa4084343959757826e6bff14bfc
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_hppa.deb
Size/MD5 checksum: 20872 07755a04f444333e80f07b37057fc35a
http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_hppa.deb
Size/MD5 checksum: 9066 74c2fb5f4c6d5e56d4659746a92a3d51

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)