==========================================================Ubuntu Security Notice USN-870-1          December 11, 2009
pygresql vulnerability
CVE-2009-2940
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  python-pygresql                 1:3.8.1-2ubuntu0.1

Ubuntu 8.10:
  python-pygresql                 1:3.8.1-3ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safe
string and bytea functions in its own escaping functions. As a result,
applications written to use PyGreSQL's escaping functions are vulnerable to
SQL injections when processing certain multi-byte character sequences.
Because the safe functions require a database connection, to maintain
backwards compatibility, pg.escape_string() and pg.escape_bytea() are still
available, but applications will have to be adjusted to use the new
pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code
containing:

  import pg
  connection = pg.connect(...)
  escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

  import pg
  connection = pg.connect(...)
  escaped = connection.escape_string(untrusted_input)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:     4556 282feadbd53e81d0912041f3e8707b65
          Size/MD5:      819 9613b347da5530beaaed5685ca7190e9
          Size/MD5:    81186 5575979dac93c9c5795d7693a8f91c86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   158862 52a6055fbb6bd8343b5a714c12e30afa
          Size/MD5:   113590 ab2f308e7c9d011e4290a159c0ac5c66

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   142506 fc8a7789c369ac24468b7dc9cfcf8de5
          Size/MD5:   108396 00a81a413758c9c9b91efdd2c694247e

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   143308 9174b81254494f27457bce98d73f9a5b
          Size/MD5:   107932 c97afe12864aa0c91c82d1331edd739d

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   158918 9e2145814af329ba3b8deb6e269396e6
          Size/MD5:   115096 39e2ed416b83c3c289eb4700d6b10fe4

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   136806 6180a01bcca41ec614520a6a617247b1
          Size/MD5:   108752 5a37c25ed4116c66f26e28ba4d914a3d

Updated packages for Ubuntu 8.10:

  Source archives:

          Size/MD5:     4554 0f4ebbe4a21abb32e1b8adcc841272fd
          Size/MD5:     1215 e957555bab090aeb2bf2b043710536c1
          Size/MD5:    81186 5575979dac93c9c5795d7693a8f91c86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   161374 c2bd1d7edf9a4b7fe8775a4b81e41c89
          Size/MD5:   113848 df4cf90f62f064cde2af19d4e53bb6a8

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   144342 9613af053ccac31ee68f0ea7237102ba
          Size/MD5:   108184 61858ff497b9a22271c987d2b3f8e136

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   145702 efb2a010093fd49ad4b2d459ba700109
          Size/MD5:   107998 5aa9a9f24cde01ed80e5cc7119fc3976

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   160822 8414c4daf91fac983e85f48af335fadb
          Size/MD5:   114884 359b31a67439795c2cb2d9740c9be2a2

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   138978 01cd4bc1d15a97e96c62177855a610f2
          Size/MD5:   108932 e4847eeeeed2e144e4f7c4efe147312e

Ubuntu 870-1: PyGreSQL vulnerability

December 11, 2009
Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safestring and bytea functions in its own escaping functions

Summary

Update Instructions

References

Severity
pygresql vulnerability

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved