-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1688-2 security@debian.org http://www.debian.org/security/ Steffen Joeris December 22, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : courier-authlib Vulnerability : SQL injection Problem type : local/remote XXX Debian-specific: no CVE Id(s) : CVE-2008-2380 CVE-2008-2667 The update of courier-authlib in DSA 1688-1 caused a regression with setups that do not use mail addresses for authentification. This update fixes this regression. For reference, the full advisory text is below. Two SQL injection vulnerabilities have beein found in courier-authlib, the courier authentification library. The MySQL database interface used insufficient escaping mechanisms when constructing SQL statements, leading to SQL injection vulnerabilities if certain charsets are used (CVE-2008-2380). A similar issue affects the PostgreSQL database interface (CVE-2008-2667). For the stable distribution (etch), these problems have been fixed in version 0.58-4+etch3. For the testing distribution (lenny) and the unstable distribution (sid), these problems have been fixed in version 0.61.0-1+lenny1. We recommend that you upgrade your courier-authlib packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.dsc Size/MD5 checksum: 970 eea6bc2a491339d1b06f0d9891906a4f http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58.orig.tar.gz Size/MD5 checksum: 3342115 75b5b2b72d550048ed1b29e687a1a60d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3.diff.gz Size/MD5 checksum: 44339 c051936ba955b33ac17bed1a7a062ed6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_alpha.deb Size/MD5 checksum: 150150 c1fb3322ef09b7e5592cdb2e0e972e8b http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_alpha.deb Size/MD5 checksum: 6982 fdcfcee4cf7e92463d80fc52c31544c6 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_alpha.deb Size/MD5 checksum: 8958 d0d7c0c186dc70bf163fb56efdac13e0 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_alpha.deb Size/MD5 checksum: 92768 ad72b16c890b88f5878b044ba634d743 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_alpha.deb Size/MD5 checksum: 23274 072c28b73f51ec0c0853d2235cc43f7a http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_alpha.deb Size/MD5 checksum: 20456 9946cb154a436ad185e6ac59d219ee0d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_alpha.deb Size/MD5 checksum: 20384 add1d85c7f9f1f951110112e57dd941c http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_alpha.deb Size/MD5 checksum: 39140 eb641b37baca55b34824e6ccc9123604 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_amd64.deb Size/MD5 checksum: 111930 9eadcaae493d99804507584da9a84ed3 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_amd64.deb Size/MD5 checksum: 22290 82ddefca4a28ee7b7138b769bdf70a46 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_amd64.deb Size/MD5 checksum: 8404 17f359e16622de5b346c4b6ec21b46d5 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_amd64.deb Size/MD5 checksum: 34396 3db1718272c4bd67cd9afb61176d6b93 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_amd64.deb Size/MD5 checksum: 81536 13269dedb780975742c82e8b132fc1e8 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_amd64.deb Size/MD5 checksum: 20070 0a0f9a90faff809bf7fcb6828146e1ca http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_amd64.deb Size/MD5 checksum: 6978 8046f6964e4b80c81bfb18f53a861808 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_amd64.deb Size/MD5 checksum: 19874 b6255a89d42af434881f4a70047b35af hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_hppa.deb Size/MD5 checksum: 6982 883a20dc2aa90969542ec955752bff73 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_hppa.deb Size/MD5 checksum: 37910 625d55b6bca6443e8a4815948a8be2f1 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_hppa.deb Size/MD5 checksum: 20838 ddedaa4084343959757826e6bff14bfc http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_hppa.deb Size/MD5 checksum: 20872 07755a04f444333e80f07b37057fc35a http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_hppa.deb Size/MD5 checksum: 9066 74c2fb5f4c6d5e56d4659746a92a3d51 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_hppa.deb Size/MD5 checksum: 89204 1b0afa7787fac7d6a28c94f667ced9fe http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_hppa.deb Size/MD5 checksum: 23672 f01834aacc18dab3bd4b6f6d963df347 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_hppa.deb Size/MD5 checksum: 123946 00826c1564cdae69df31a42418562c4c i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_i386.deb Size/MD5 checksum: 18984 3ba8eb6f6cca2ee36e0f244c4534ae06 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_i386.deb Size/MD5 checksum: 21244 711ee9c10e91535cb95574a40ed003bf http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_i386.deb Size/MD5 checksum: 6984 01ce4d9a33afd119261053e902ddf776 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_i386.deb Size/MD5 checksum: 76350 01bea1c85a49803f32a641d5c88aa47f http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_i386.deb Size/MD5 checksum: 18792 973c61fe45d343a5f6e733583677a660 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_i386.deb Size/MD5 checksum: 33270 9b64fa8ef06742b5c3c30b513380ed10 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_i386.deb Size/MD5 checksum: 7832 b32c9185e3e953f32198ac39c4b34658 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_i386.deb Size/MD5 checksum: 100350 20f136305d113cb313583524d99c2257 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_ia64.deb Size/MD5 checksum: 109912 f34ccc9736f6f983e3808609effe05d2 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_ia64.deb Size/MD5 checksum: 28118 83b5b87867515ef4ffb2c7f55d2bfd43 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_ia64.deb Size/MD5 checksum: 6976 1147d769c809e15bc774ac185f1b8b42 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_ia64.deb Size/MD5 checksum: 44760 2edbd453344c340ecbce8e7cc6680512 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_ia64.deb Size/MD5 checksum: 23770 c2482713d38f71c3df161e15266d9cc1 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_ia64.deb Size/MD5 checksum: 24068 e2e591dcc0b79db504364cff45925c1c http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_ia64.deb Size/MD5 checksum: 148148 aa9a24fe0797adce9743dad4a5a69f11 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_ia64.deb Size/MD5 checksum: 10212 9776f4d13b0f55805963dc9ebe0cb775 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_mips.deb Size/MD5 checksum: 124734 db5ac1f173860a9a8b0abdb81899eaf5 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_mips.deb Size/MD5 checksum: 21922 f905ce6714943afc4f99bde253ad06dd http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_mips.deb Size/MD5 checksum: 81866 342671c976b85df7f9cbdcd4e9944fbc http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_mips.deb Size/MD5 checksum: 6980 67f98c77898ebe0ad905c87a22df3765 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_mips.deb Size/MD5 checksum: 8212 8f102b2250c3d69e28dcc72a50e660b9 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_mips.deb Size/MD5 checksum: 19488 a7fc20bcbaafd8d6f0053b41b2e07e5e http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_mips.deb Size/MD5 checksum: 19506 782e5bf2a2ba56eba4f9836ffae51125 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_mips.deb Size/MD5 checksum: 35230 113b19cb398cdd1d9599a0cc21887e0c mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 19500 69d3c6a55491a2b05e8e45a4dfb44c09 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 22040 c20f1e9c94a4fb18fd395faea3166422 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 120978 709261a8c1f12aa3a2c41f7927277219 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 81726 30bd7b0c49f3c2e061dfd334a4228480 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 6984 1abad4411b157633529b23495a10dbf9 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 19534 423fc50987ba31f0fc36f9fa6b1a1996 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 36020 b2503eacfd49e69405e0523b2116a05b http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_mipsel.deb Size/MD5 checksum: 8228 f3394eef4fe9fd4415b04398a434fd09 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 88110 26ab00dd8ee3fc7614aec67c46672621 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 19706 e3a473111e423e8238da8fa1e9fcc5f2 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 8352 b5a2f944ca239eb5a333a8da10a8b745 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 19890 22eab317e0e2158d748f9241f7aed0a3 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 35768 8a1a598aed19939add47f6e65149c97d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 6980 0a5425ab814688d31b2d773941e5b56a http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 110380 0e1c65ff5693adb9b0865aaba67bd5da http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_powerpc.deb Size/MD5 checksum: 22104 4ee5709bc224137a1733e75966c305dd s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_s390.deb Size/MD5 checksum: 8288 7d1547a5ddade9332cfd1dc618fd65dc http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_s390.deb Size/MD5 checksum: 6970 a1b9b7c977b68a50d3736d669f88bb8b http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_s390.deb Size/MD5 checksum: 102932 519d077f2a54fd34f3f9f86151ff2a85 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_s390.deb Size/MD5 checksum: 22768 91530b8b45b0c792a2430cafc8502c2b http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_s390.deb Size/MD5 checksum: 19778 c3252ded11e8694ac91f7458e54a0364 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_s390.deb Size/MD5 checksum: 84534 9d9b385748427bcd4a240365d5da651b http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_s390.deb Size/MD5 checksum: 20034 337f77aa4ddd3f32af8dac532bdef1d3 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_s390.deb Size/MD5 checksum: 35918 570f14e13e5541253b014dc5f707475e sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-userdb_0.58-4+etch3_sparc.deb Size/MD5 checksum: 33484 8dab32a63b1fc4ded9fbfdde33ef3639 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-dev_0.58-4+etch3_sparc.deb Size/MD5 checksum: 102396 8a2f9a0f833510ef53375926befda961 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authdaemon_0.58-4+etch3_sparc.deb Size/MD5 checksum: 6988 9b01eba47daf823d4f1198a90b784c6c http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib_0.58-4+etch3_sparc.deb Size/MD5 checksum: 75698 09c45f6116ca18e48c8e3702dada54b1 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-pipe_0.58-4+etch3_sparc.deb Size/MD5 checksum: 7878 3009ba4c1c2f042b5fe7e5e9ad4655b6 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-mysql_0.58-4+etch3_sparc.deb Size/MD5 checksum: 19218 64ed92e3620a8c3eb44a3655a93cf51d http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-ldap_0.58-4+etch3_sparc.deb Size/MD5 checksum: 21830 97997f7a1fde6c52f7d7ddffdbe66724 http://security.debian.org/pool/updates/main/c/courier-authlib/courier-authlib-postgresql_0.58-4+etch3_sparc.deb Size/MD5 checksum: 19170 fe45e9811a4f95cd469f7f1dbd607098 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJJUCBIAAoJEL97/wQC1SS+BVsH/335R5WqInHRraHk0JE3Owzt qV5xBgjWXnU7cxKEvsPmvhYanJs6kjd24S5d9GOQVVZhKS6zC6ToH+u7GwOnYChR +kLdtLziYSx8mcZUtrjWeL/iYaE3xClRTROgfYUXrMJ2RawU4kUgx7nxTPwF76ei axmURM4ImgoxVF7fMRRIoX/pgvl3dGoUPdzCepxTrrdjqfUhXZCaQ8l7xikKVcGV 71oM7szbhZL6QIBxY2G4Oa/LByuj1UOSfo9y0M4+V46KyFYBjjKbzbqNpo2agLU+ 7LR0mtk7dYvVDDdr/gDBcTJ0y8UCkrJ3SVTJqHVXHx8CrDikc5IfOqEd+1sWA1g= =0+3H -----END PGP SIGNATURE-----