blob: c4e95694e424e15592910ae1951f867d0dd07941 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200809-05">
<title>Courier Authentication Library: SQL injection vulnerability</title>
An SQL injection vulnerability has been discovered in the Courier
Authentication Library.
<product type="ebuild">courier-authlib</product>
<announced>September 05, 2008</announced>
<revised>September 05, 2008: 01</revised>
<package name="net-libs/courier-authlib" auto="yes" arch="*">
<unaffected range="ge">0.60.6</unaffected>
<vulnerable range="lt">0.60.6</vulnerable>
The Courier Authentication Library is a generic authentication API that
encapsulates the process of validating account passwords.
It has been discovered that some input (e.g. the username) passed to
the library are not properly sanitised before being used in SQL
<impact type="normal">
A remote attacker could provide specially crafted input to the library,
possibly resulting in the remote execution of arbitrary SQL commands.
NOTE: Exploitation of this vulnerability requires that a MySQL database
is used for authentication and that a Non-Latin character set is
There is no known workaround at this time.
All Courier Authentication Library users should upgrade to the latest
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-libs/courier-authlib-0.60.6&quot;</code>
<uri link="">CVE-2008-2667</uri>
<metadata tag="requester" timestamp="Mon, 11 Aug 2008 18:54:58 +0000">
<metadata tag="bugReady" timestamp="Mon, 11 Aug 2008 18:56:59 +0000">
<metadata tag="submitter" timestamp="Thu, 28 Aug 2008 21:07:13 +0000">