Fedora Legacy Test Update Notification: mod_auth_pgsql

[Marc Deslauriers]

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-177326
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177326
2006-01-19
---------------------------------------------------------------------

Name        : mod_auth_pgsql
Versions    : fc1: mod_auth_pgsql-2.0.1-3.1.legacy
Versions    : fc2: mod_auth_pgsql-2.0.1-4.2.legacy
Summary     : Basic authentication for the Apache Web server using
              a PostgreSQL database.
Description :
Mod_auth_pgsql can be used to limit access to documents served by a
Web server by checking fields in a table in a PostgresQL database.

---------------------------------------------------------------------
Update Information:

An updated mod_auth_pgsql package that fixes a format string flaw is now
available.

The mod_auth_pgsql package is an httpd module that allows user
authentication against information stored in a PostgreSQL database.

Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute
arbitrary code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project
assigned the name CVE-2005-3656 to this issue.

Please note that this issue only affects servers which have
mod_auth_pgsql installed and configured to perform user authentication
against a PostgreSQL database.

All users of mod_auth_pgsql should upgrade to these updated packages,
which contain a backported patch to resolve this issue.

---------------------------------------------------------------------
Changelogs

fc1:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-3.1.legacy
- The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r->user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
    - don't re-use database connections (#115496)
    - make functions static
    - downgrade "not configured" log message from warning to debug

fc2:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-4.2.legacy
- Rebuilt for FC2

* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-3.1.legacy
- The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r->user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
    - don't re-use database connections (#115496)
    - make functions static
    - downgrade "not configured" log message from warning to debug

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

e6ce19c8be5f4638e2050437c4529b0d4a0f5e1f
fedora/1/updates-testing/i386/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm
119b3b6045eaa3b175ebe3d613daca8e9c81b35c
fedora/1/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
8f9c2503b417db84b73483e6daca445c4789e4e4
fedora/2/updates-testing/i386/mod_auth_pgsql-2.0.1-4.2.legacy.i386.rpm
52aabaff10fb0f862e1b96199facb7da046e94dc
fedora/2/updates-testing/SRPMS/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060119/d9e197f4/attachment.sig>