Upstream information

CVE-2006-2314 at MITRE

Description

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entries: 177931 [RESOLVED / FIXED], 186608 [RESOLVED / FIXED], 199937 [RESOLVED / INVALID]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE LINUX 10.1
  • postgresql-server >= 8.1.4-1.2
SUSE LINUX 10.0
  • postgresql >= 8.0.8-0.2
  • postgresql-contrib >= 8.0.8-0.2
  • postgresql-devel >= 8.0.8-0.2
  • postgresql-docs >= 8.0.8-0.2
  • postgresql-libs >= 8.0.8-0.2
  • postgresql-libs-32bit >= 8.0.8-0.2
  • postgresql-libs-64bit >= 8.0.8-0.2
  • postgresql-pl >= 8.0.8-0.2
  • postgresql-server >= 8.0.8-0.2
SUSE LINUX 9.1 for IA32
  • postgresql >= 7.4.13-0.4
  • postgresql-contrib >= 7.4.13-0.4
  • postgresql-devel >= 7.4.13-0.4
  • postgresql-docs >= 7.4.13-0.4
  • postgresql-libs >= 7.4.13-0.4
  • postgresql-pl >= 7.4.13-0.4
  • postgresql-server >= 7.4.13-0.4
SUSE LINUX 9.1 for x86-64
  • postgresql >= 7.4.13-0.4
  • postgresql-contrib >= 7.4.13-0.4
  • postgresql-devel >= 7.4.13-0.4
  • postgresql-docs >= 7.4.13-0.4
  • postgresql-libs >= 7.4.13-0.4
  • postgresql-libs-32bit >= 9.1-200605310116
  • postgresql-pl >= 7.4.13-0.4
  • postgresql-server >= 7.4.13-0.4
SUSE LINUX 9.2
  • postgresql >= 7.4.13-0.2
  • postgresql-contrib >= 7.4.13-0.2
  • postgresql-devel >= 7.4.13-0.2
  • postgresql-docs >= 7.4.13-0.2
  • postgresql-libs >= 7.4.13-0.2
  • postgresql-libs-32bit >= 9.2-200605301412
  • postgresql-pl >= 7.4.13-0.2
  • postgresql-server >= 7.4.13-0.2
SUSE LINUX 9.3
  • postgresql >= 8.0.8-0.2
  • postgresql-contrib >= 8.0.8-0.2
  • postgresql-devel >= 8.0.8-0.2
  • postgresql-docs >= 8.0.8-0.2
  • postgresql-libs >= 8.0.8-0.2
  • postgresql-libs-32bit >= 9.3-7.3
  • postgresql-pl >= 8.0.8-0.2
  • postgresql-server >= 8.0.8-0.2
SUSE LINUX 10.0
  • dovecot >= 0.99.14-5.2
SUSE LINUX 10.1
  • dovecot >= 1.0.beta3-13.4
SUSE LINUX 9.2
  • dovecot >= 0.99.11-2.2
SUSE LINUX 9.3
  • dovecot >= 0.99.14-3.2
SUSE LINUX 10.1
  • postgresql >= 8.1.4-1.2
  • postgresql-contrib >= 8.1.4-1.2
  • postgresql-devel >= 8.1.4-1.2
  • postgresql-docs >= 8.1.4-1.2
  • postgresql-libs >= 8.1.4-1.2
  • postgresql-libs-32bit >= 8.1.4-1.2
  • postgresql-libs-64bit >= 8.1.4-1.2
  • postgresql-pl >= 8.1.4-1.2
Novell Linux Desktop 9 for x86
Open Enterprise Server
  • postgresql >= 7.4.13-0.2
  • postgresql-contrib >= 7.4.13-0.2
  • postgresql-devel >= 7.4.13-0.2
  • postgresql-docs >= 7.4.13-0.2
  • postgresql-libs >= 7.4.13-0.2
  • postgresql-pl >= 7.4.13-0.2
  • postgresql-server >= 7.4.13-0.2
Builds
YOU Patch Nr: 11025
Novell Linux Desktop 9 for x86_64
  • postgresql >= 7.4.13-0.2
  • postgresql-contrib >= 7.4.13-0.2
  • postgresql-devel >= 7.4.13-0.2
  • postgresql-docs >= 7.4.13-0.2
  • postgresql-libs >= 7.4.13-0.2
  • postgresql-libs-32bit >= 9-200605291910
  • postgresql-pl >= 7.4.13-0.2
  • postgresql-server >= 7.4.13-0.2
Builds
YOU Patch Nr: 11025