Executive Summary
| Summary | |
|---|---|
| Title | New postgresql-ocaml packages provide secure escaping |
| Informations | |||
|---|---|---|---|
| Name | DSA-1909 | First vendor Publication | 2009-10-14 |
| Vendor | Debian | Last vendor Modification | 2009-10-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution (lenny), this problem has been fixed in version 1.7.0-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 1.5.4-2+etch1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 1.12.1-1. We recommend that you upgrade your postgresql-ocaml packages. |
Original Source
| Url : http://www.debian.org/security/2009/dsa-1909 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13062 | |||
| Oval ID: | oval:org.mitre.oval:def:13062 | ||
| Title: | DSA-1909-1 postgresql-ocaml -- missing escape function | ||
| Description: | It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn. This is needed, because PQescapeStringConn honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn and takes the established database connection as a first argument. The old escape_string was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the stable distribution, this problem has been fixed in version 1.7.0-3+lenny1. For the oldstable distribution, this problem has been fixed in version 1.5.4-2+etch1. For the testing distribution and the unstable distribution, this problem has been fixed in version 1.12.1-1. We recommend that you upgrade your postgresql-ocaml packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1909-1 CVE-2009-2943 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | postgresql-ocaml |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7638 | |||
| Oval ID: | oval:org.mitre.oval:def:7638 | ||
| Title: | DSA-1909 postgresql-ocaml -- missing escape function | ||
| Description: | It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's libpq, was missing a function to call PQescapeStringConn(). This is needed, because PQescapeStringConn() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called escape_string_conn() and takes the established database connection as a first argument. The old escape_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1909 CVE-2009-2943 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | postgresql-ocaml |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-17 | Name : Fedora Core 10 FEDORA-2009-10595 (ocaml-postgresql) File : nvt/fcore_2009_10595.nasl |
| 2009-11-17 | Name : Fedora Core 11 FEDORA-2009-10633 (ocaml-postgresql) File : nvt/fcore_2009_10633.nasl |
| 2009-10-19 | Name : Debian Security Advisory DSA 1909-1 (postgresql-ocaml) File : nvt/deb_1909_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 59029 | postgresql-ocaml for PostgreSQL PQescapeStringConn() Function Character Escap... Debian based postgresql-ocmal packages contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when the multi-byte input has not been properly sanitized, allowing a remote attacker to gain escalated privileges. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1909.nasl - Type : ACT_GATHER_INFO |
| 2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-10595.nasl - Type : ACT_GATHER_INFO |
| 2009-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2009-10633.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:54 |
|
