Debian Bug report logs -
#633637
Exploitable remotely: SQL injection
Reported by: Amaya Rodrigo Sastre <amaya@debian.org>
Date: Tue, 12 Jul 2011 11:42:02 UTC
Severity: critical
Tags: patch, security
Found in version libapache2-mod-authnz-external/3.2.4-2
Fixed in versions libapache2-mod-authnz-external/3.2.4-2.1, libapache2-mod-authnz-external/3.2.4-2+squeeze1
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hai Zaar <haizaar@haizaar.com>:
Bug#633637; Package libapache2-mod-authnz-external.
(Tue, 12 Jul 2011 11:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Amaya Rodrigo Sastre <amaya@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hai Zaar <haizaar@haizaar.com>.
(Tue, 12 Jul 2011 11:42:15 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-authnz-external
Version: 3.2.4-2
Severity: critical
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
According to
http://code.google.com/p/mod-auth-external/issues/detail?id=5 there's a
possible remote sql injection bug. The fix is a two liner:
- --- trunk/mod_authnz_external/mysql/mysql-auth.pl
+++ trunk/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@
exit 1;
}
- -my $dbq = $dbh->prepare("select username as username, password as password from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;");
+$dbq->bind_param(1, $user);
$dbq->execute;
+
my $row = $dbq->fetchrow_hashref();
if ($row->{username} eq "") {
Thanks!
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-authnz-external depends on:
ii apache2.2-common 2.2.19-1 Apache HTTP Server common files
pn libc6 <none> (no description available)
Versions of packages libapache2-mod-authnz-external recommends:
ii pwauth 2.3.8-1 authenticator for mod_authnz_exter
libapache2-mod-authnz-external suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4cMpUACgkQNFDtUT/MKpAAlwCgqrEBO0A+HUB4eLWSpOf5RUf7
kGkAoKTMd0zZUneJvsHnj7O+DfxXFbMZ
=w70I
-----END PGP SIGNATURE-----
Reply sent
to Amaya <amaya@debian.org>:
You have taken responsibility.
(Tue, 12 Jul 2011 15:09:09 GMT) (full text, mbox, link).
Notification sent
to Amaya Rodrigo Sastre <amaya@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Jul 2011 15:09:10 GMT) (full text, mbox, link).
Message #10 received at 633637-done@bugs.debian.org (full text, mbox, reply):
Sorry for the noise, the patch is already in Debian.
Closing the bug now.
--
.''`. Ex nihilo nihil fit
: :' :
`. `'
`- Proudly running Debian GNU/Linux
Did not alter fixed versions and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Jul 2011 10:51:29 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Hai Zaar <haizaar@haizaar.com>:
Bug#633637; Package libapache2-mod-authnz-external.
(Thu, 14 Jul 2011 11:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Amaya <amaya@debian.org>:
Extra info received and forwarded to list. Copy sent to Hai Zaar <haizaar@haizaar.com>.
(Thu, 14 Jul 2011 11:09:06 GMT) (full text, mbox, link).
Message #17 received at 633637@bugs.debian.org (full text, mbox, reply):
Steffen Joeris wrote:
> I had a quick look and didn't see that code included in debian as far
> as I can see the package has the same version in all suites or am I
> missing anything?
Oh, $DEITY, you are absolutely right, I looked at a locally patched
version and confused it with the debian provided one. I had too little
coffee yesterday :)
Yes, this bug should be reopened, and fixed.
Thanks for your attention to detail!
--
.''`. Ex nihilo nihil fit
: :' :
`. `'
`- Proudly running Debian GNU/Linux
Information forwarded
to debian-bugs-dist@lists.debian.org, Hai Zaar <haizaar@haizaar.com>:
Bug#633637; Package libapache2-mod-authnz-external.
(Thu, 14 Jul 2011 11:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Hai Zaar <haizaar@haizaar.com>.
(Thu, 14 Jul 2011 11:21:10 GMT) (full text, mbox, link).
Message #22 received at 633637@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Amaya,
> Steffen Joeris wrote:
> > I had a quick look and didn't see that code included in debian as far
> > as I can see the package has the same version in all suites or am I
> > missing anything?
>
> Oh, $DEITY, you are absolutely right, I looked at a locally patched
> version and confused it with the debian provided one. I had too little
> coffee yesterday :)
>
> Yes, this bug should be reopened, and fixed.
No worries, if you have time, feel free to upload an NMU and a fixed version
for squeeze to stable-security.
Cheers,
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Hai Zaar <haizaar@haizaar.com>:
Bug#633637; Package libapache2-mod-authnz-external.
(Thu, 14 Jul 2011 11:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Amaya <amaya@debian.org>:
Extra info received and forwarded to list. Copy sent to Hai Zaar <haizaar@haizaar.com>.
(Thu, 14 Jul 2011 11:27:16 GMT) (full text, mbox, link).
Message #27 received at 633637@bugs.debian.org (full text, mbox, reply):
tags 633637 pending
thanks
Steffen Joeris wrote:
> No worries, if you have time, feel free to upload an NMU and a fixed
> version for squeeze to stable-security.
I'd love to. Expect an upload today.
--
.''`. Ex nihilo nihil fit
: :' :
`. `'
`- Proudly running Debian GNU/Linux
Information forwarded
to debian-bugs-dist@lists.debian.org, Hai Zaar <haizaar@haizaar.com>:
Bug#633637; Package libapache2-mod-authnz-external.
(Mon, 18 Jul 2011 08:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Hai Zaar <haizaar@haizaar.com>.
(Mon, 18 Jul 2011 08:39:03 GMT) (full text, mbox, link).
Message #32 received at 633637@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is the NMU patch.
Cheers,
Steffen
[nmu.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(Mon, 18 Jul 2011 08:51:34 GMT) (full text, mbox, link).
Notification sent
to Amaya Rodrigo Sastre <amaya@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Jul 2011 08:51:40 GMT) (full text, mbox, link).
Message #37 received at 633637-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-authnz-external
Source-Version: 3.2.4-2.1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-authnz-external, which is due to be installed in the Debian FTP archive:
libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
libapache2-mod-authnz-external_3.2.4-2.1.dsc
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1.dsc
libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 633637@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated libapache2-mod-authnz-external package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 Jul 2011 10:26:11 +1000
Source: libapache2-mod-authnz-external
Binary: libapache2-mod-authnz-external
Architecture: source amd64
Version: 3.2.4-2.1
Distribution: unstable
Urgency: high
Maintainer: Hai Zaar <haizaar@haizaar.com>
Changed-By: Steffen Joeris <white@debian.org>
Description:
libapache2-mod-authnz-external - authenticate Apache against external authentication services
Closes: 633637
Changes:
libapache2-mod-authnz-external (3.2.4-2.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Fix SQL injection via the $user paramter (Closes: #633637)
Fixes: CVE-2011-2688
Checksums-Sha1:
0de6e958e966f184447226c4fa59fd96b1b3f343 1214 libapache2-mod-authnz-external_3.2.4-2.1.dsc
df06932fe7da2cbb6a00b4d5d74d3e1fe7de447c 3613 libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
47222b3442e64d3217f73b319d84b313b77987b6 24640 libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
Checksums-Sha256:
3b0844019250924afb235d15bc6fb27095ed25b6b332eccbcb3dd8a1c83accb6 1214 libapache2-mod-authnz-external_3.2.4-2.1.dsc
7255a4c23a948d943bf9a815f45cf94a6c9c6bf3ca09706b3b5921655e2038f4 3613 libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
70fc8d5f3028511ea740ab8292177daa1a9c489f053d70b9eec440dabcf2b0f7 24640 libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
Files:
7840d7735cd2e33f014228c7c3796509 1214 web optional libapache2-mod-authnz-external_3.2.4-2.1.dsc
58c4d961fa1ce9010027c4d3454c5ead 3613 web optional libapache2-mod-authnz-external_3.2.4-2.1.diff.gz
4cdf5d46a542c1431d3224cde7ebf42e 24640 web optional libapache2-mod-authnz-external_3.2.4-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4jf6IACgkQ62zWxYk/rQcDZACeOmzxWS11MoBQmJVG3e4K9XOl
MhEAn2IbmG6irpoYx5KourhC5aadyefL
=BlZk
-----END PGP SIGNATURE-----
Reply sent
to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(Tue, 19 Jul 2011 20:00:08 GMT) (full text, mbox, link).
Notification sent
to Amaya Rodrigo Sastre <amaya@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Jul 2011 20:00:08 GMT) (full text, mbox, link).
Message #42 received at 633637-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-authnz-external
Source-Version: 3.2.4-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-authnz-external, which is due to be installed in the Debian FTP archive:
libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
to main/liba/libapache2-mod-authnz-external/libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 633637@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated libapache2-mod-authnz-external package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 Jul 2011 10:31:23 +1000
Source: libapache2-mod-authnz-external
Binary: libapache2-mod-authnz-external
Architecture: source amd64
Version: 3.2.4-2+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Hai Zaar <haizaar@haizaar.com>
Changed-By: Steffen Joeris <white@debian.org>
Description:
libapache2-mod-authnz-external - authenticate Apache against external authentication services
Closes: 633637
Changes:
libapache2-mod-authnz-external (3.2.4-2+squeeze1) stable-security; urgency=high
.
* Non-maintainer upload by the security team
* Fix SQL injection via $user parameter (Closes: #633637)
Fixes: CVE-2011-2688
Checksums-Sha1:
47ff2c5d9fce527e510bbd23c35b88bdd4251782 1242 libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
517401421ffe6db02a5e5c34f650f653d05affd5 37593 libapache2-mod-authnz-external_3.2.4.orig.tar.gz
7aa00718867a1330252229a8986de2d6aaa5d6b3 3713 libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
ba7e84f3115eb03e11d60c6e2f3b5d68e060a2cc 24642 libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
Checksums-Sha256:
3d796382343cce8509161d32777666772b3d850a6dc240ed89c1eb8986e72366 1242 libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
a5fad1559a8b825e86be4458290405bb1bb9379576ba072c3f4279400ee3b915 37593 libapache2-mod-authnz-external_3.2.4.orig.tar.gz
d10769a4600e7014d965a4d82f4d48af88c858d0f515178c6d60a8510149af2a 3713 libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
78e07b55ee6b642252dee670a5fafaab118cb765a9b0f3beff4d6f767ba4f78d 24642 libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
Files:
73fef44c4760dfee0077e68d12200010 1242 web optional libapache2-mod-authnz-external_3.2.4-2+squeeze1.dsc
055de3666b720065dda2e83293cd2d2a 37593 web optional libapache2-mod-authnz-external_3.2.4.orig.tar.gz
e469472990b79acd397f6e586827485f 3713 web optional libapache2-mod-authnz-external_3.2.4-2+squeeze1.diff.gz
95729988d97b070642291b4b4c125ec9 24642 web optional libapache2-mod-authnz-external_3.2.4-2+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4jgLoACgkQ62zWxYk/rQeqlgCdEiocyu3V17+a7Waz2aCYsOPJ
4zwAoLchSy7rwVkVHQ/JVO3En7licYoi
=rext
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Oct 2011 07:34:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:21:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon