Univention Bugzilla – Bug 49074
sqlalchemy: Multiple issues (4.2)
Last modified: 2019-03-27 16:44:51 CET
New Debian sqlalchemy 0.9.8+dfsg-0.1+deb8u1 fixes: This update addresses the following issues: * SQL Injection when the order_by parameter can be controlled (CVE-2019-7164) * SQL Injection when the group_by parameter can be controlled (CVE-2019-7548)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/sqlalchemy_0.9.8+dfsg-0.1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/sqlalchemy_0.9.8+dfsg-0.1+deb8u1.dsc @@ -1,3 +1,10 @@ +0.9.8+dfsg-0.1+deb8u1 [Mon, 18 Mar 2019 13:37:16 +0100] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2019-7164 and CVE-2019-7548: SQL injection in order_by() + and group_by(). Upstream warns that this breaks the seldom-used + text coercion feature. + 0.9.8+dfsg-0.1 [Sat, 01 Nov 2014 23:18:08 +0000] Michael Gilbert <mgilbert@debian.org>: * Non-maintainer upload. <http://10.200.17.11/4.2-5/#8848375713044844261>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] fd5325ad82 Bug #49074: sqlalchemy 0.9.8+dfsg-0.1+deb8u1 doc/errata/staging/sqlalchemy.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<http://errata.software-univention.de/ucs/4.2/626.html>