Courier Authentication Library: SQL Injection vulnerability — GLSA 200903-25

An SQL injection vulnerability has been discovered in the Courier Authentication Library.

Affected Packages

net-libs/courier-authlib on all architectures
Affected versions < 0.62.2
Unaffected versions >= 0.62.2

Background

The Courier Authentication Library is a generic authentication API that encapsulates the process of validating account passwords.

Description

It has been reported that some parameters used in SQL queries are not properly sanitized before being processed when using a non-Latin locale Postgres database.

Impact

A remote attacker could send specially crafted input to an application using the library, possibly resulting in the execution of arbitrary SQL commands.

Workaround

There is no known workaround at this time.

Resolution

All Courier Authentication Library users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/courier-authlib-0.62.2"

References

Release Date
March 11, 2009

Latest Revision
March 11, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries