==========================================================Ubuntu Security Notice USN-870-1          December 11, 2009
pygresql vulnerability
CVE-2009-2940
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  python-pygresql                 1:3.8.1-2ubuntu0.1

Ubuntu 8.10:
  python-pygresql                 1:3.8.1-3ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safe
string and bytea functions in its own escaping functions. As a result,
applications written to use PyGreSQL's escaping functions are vulnerable to
SQL injections when processing certain multi-byte character sequences.
Because the safe functions require a database connection, to maintain
backwards compatibility, pg.escape_string() and pg.escape_bytea() are still
available, but applications will have to be adjusted to use the new
pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code
containing:

  import pg
  connection = pg.connect(...)
  escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

  import pg
  connection = pg.connect(...)
  escaped = connection.escape_string(untrusted_input)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:     4556 282feadbd53e81d0912041f3e8707b65
          Size/MD5:      819 9613b347da5530beaaed5685ca7190e9
          Size/MD5:    81186 5575979dac93c9c5795d7693a8f91c86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   158862 52a6055fbb6bd8343b5a714c12e30afa
          Size/MD5:   113590 ab2f308e7c9d011e4290a159c0ac5c66

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   142506 fc8a7789c369ac24468b7dc9cfcf8de5
          Size/MD5:   108396 00a81a413758c9c9b91efdd2c694247e

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   143308 9174b81254494f27457bce98d73f9a5b
          Size/MD5:   107932 c97afe12864aa0c91c82d1331edd739d

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   158918 9e2145814af329ba3b8deb6e269396e6
          Size/MD5:   115096 39e2ed416b83c3c289eb4700d6b10fe4

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   136806 6180a01bcca41ec614520a6a617247b1
          Size/MD5:   108752 5a37c25ed4116c66f26e28ba4d914a3d

Updated packages for Ubuntu 8.10:

  Source archives:

          Size/MD5:     4554 0f4ebbe4a21abb32e1b8adcc841272fd
          Size/MD5:     1215 e957555bab090aeb2bf2b043710536c1
          Size/MD5:    81186 5575979dac93c9c5795d7693a8f91c86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   161374 c2bd1d7edf9a4b7fe8775a4b81e41c89
          Size/MD5:   113848 df4cf90f62f064cde2af19d4e53bb6a8

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   144342 9613af053ccac31ee68f0ea7237102ba
          Size/MD5:   108184 61858ff497b9a22271c987d2b3f8e136

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   145702 efb2a010093fd49ad4b2d459ba700109
          Size/MD5:   107998 5aa9a9f24cde01ed80e5cc7119fc3976

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   160822 8414c4daf91fac983e85f48af335fadb
          Size/MD5:   114884 359b31a67439795c2cb2d9740c9be2a2

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   138978 01cd4bc1d15a97e96c62177855a610f2
          Size/MD5:   108932 e4847eeeeed2e144e4f7c4efe147312e

Ubuntu 870-1: PyGreSQL vulnerability

December 11, 2009
Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safestring and bytea functions in its own escaping functions

Summary

Update Instructions

References

Severity
pygresql vulnerability

Package Information

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved