forwarding this to the developers forum in case some of you don't read the pike user list as closely...
----- Forwarded message from Martin Pitt martin.pitt@ubuntu.com ----- Date: Thu, 17 Aug 2006 09:40:53 +0200 (MEST)
Hi Pike developers,
The 7.6.86 announcement advertises a "Fix for potential SQL injection vulnerability in Postgres." Mitre assigned CVE-2006-4041 to this, but there is very little information about the vulnerability.
I found this in CVS:
---------------------------- /cvs/Pike/7.6/lib/modules/Sql.pmod/Sql.pike revision 1.26 date: 2006/06/06 03:25:59; author: adam; state: Exp; lines: +4 -2 Make Sql.postgres objects use the safe quote() method if available. ---------------------------- /cvs/Pike/7.6/src/modules/Postgres/ revision 1.25 date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +5 -2 backport SQL injection fix from 7.7
revision 1.40 date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +39 -2 backport SQL injection fix from 7.7 ----------------------------
which seems to be the fix for the recent general PostgreSQL/MySQL ' -> '' quote escaping issue (CVE-2006-2314 for PostgreSQL). Does that announcement refer to this quoting fix (it would match the description)?
Thank you,
Martin
pike-devel@lists.lysator.liu.se