Advisories:rPSA-2006-0080

From rPath Wiki

rPath Security Advisory 2006-0080-1

Published: 2006-05-24

Products

• rPath Linux 1

Rating

Severe

Exposure Level Classification

Local System User Deterministic Vulnerability

Updated Versions

• postgresql=conary.rpath.com@rpl:1/8.1.4-1-0.1
• postgresql-server=conary.rpath.com@rpl:1/8.1.4-1-0.1

rPath Issue Tracking System

• RPL-381

References

• CVE-2006-2313
• CVE-2006-2314
• http://www.postgresql.org/docs/techdocs.49
• http://www.postgresql.org/docs/techdocs.50
• http://developer.postgresql.org/docs/postgres/release-8-1-4.html

Description

Previous versions of postgresql server and client libraries contain

weaknesses parsing certain character encodings (UTF-8, SJIS, BIG5,

GBK, GB18030, or UHC, but not ASCII) which, when using the vulnerable

encodings, can enable SQL injection attacks against applications

(particularly web applications) which use non-standard escaping of

quote characters.

Because vulnerable escaping of quote characters is no longer allowed,

some existing applications may not function correctly when used with

the new release of postgresql.

Copyright 2006 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html