[SECURITY] [DSA 2449-1] sqlalchemy security update

2012-04-1205:17:23

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

6.6 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

73.0%

JSON

Debian Security Advisory DSA-2449-1 [email protected]
http://www.debian.org/security/ Nico Golde
April 12, 2012 http://www.debian.org/security/faq

Package : sqlalchemy
Vulnerability : missing input sanitization
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-0805

It was discovered that sqlalchemy, an SQL toolkit and object relational
mapper for python, is not sanitizing input passed to the limit/offset
keywords to select() as well as the value passed to select.limit()/offset().
This allows an attacker to perform SQL injection attacks against
applications using sqlalchemy that do not implement their own filtering.

For the stable distribution (squeeze), this problem has been fixed in
version 0.6.3-3+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 0.6.7-1.

For the unstable distribution (sid), this problem has been fixed in
version 0.6.7-1.

We recommend that you upgrade your sqlalchemy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6amd64python-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_amd64.deb
Debian6i386python-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_i386.deb
Debian6armelpython-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_armel.deb
Debian6kfreebsd-amd64python-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_kfreebsd-amd64.deb
Debian6allpython-sqlalchemy< 0.6.3-3+squeeze1python-sqlalchemy_0.6.3-3+squeeze1_all.deb
Debian6allpython3-sqlalchemy< 0.6.3-3+squeeze1python3-sqlalchemy_0.6.3-3+squeeze1_all.deb
Debian6s390python-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_s390.deb
Debian6kfreebsd-i386python-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_kfreebsd-i386.deb
Debian6allpython-sqlalchemy-doc< 0.6.3-3+squeeze1python-sqlalchemy-doc_0.6.3-3+squeeze1_all.deb
Debian6mipselpython-sqlalchemy-ext< 0.6.3-3+squeeze1python-sqlalchemy-ext_0.6.3-3+squeeze1_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	amd64	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_amd64.deb
Debian	6	i386	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_i386.deb
Debian	6	armel	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_armel.deb
Debian	6	kfreebsd-amd64	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_kfreebsd-amd64.deb
Debian	6	all	python-sqlalchemy	< 0.6.3-3+squeeze1	python-sqlalchemy_0.6.3-3+squeeze1_all.deb
Debian	6	all	python3-sqlalchemy	< 0.6.3-3+squeeze1	python3-sqlalchemy_0.6.3-3+squeeze1_all.deb
Debian	6	s390	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_s390.deb
Debian	6	kfreebsd-i386	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_kfreebsd-i386.deb
Debian	6	all	python-sqlalchemy-doc	< 0.6.3-3+squeeze1	python-sqlalchemy-doc_0.6.3-3+squeeze1_all.deb
Debian	6	mipsel	python-sqlalchemy-ext	< 0.6.3-3+squeeze1	python-sqlalchemy-ext_0.6.3-3+squeeze1_mipsel.deb