|
Date: Fri, 11 Nov 2016 20:45:22 +0200 From: Angelos Tzotsos <gcpp.kalxas@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2016-8640 pycsw SQL injection issue Hi, Some days ago, the pycsw team received a security notice from the company Koordinates (thank you) regarding an SQL injection vulnerability in pycsw. An exploit of this vulnerability was demonstrated, which is able to read and extract any data from any table in the pycsw database that the database user has access to. On PostgreSQL (at least) it is possible to perform updates/inserts/deletes, and database modifications to any table the database user has access to. The vulnerability affects all previously released pycsw versions except 2.0.2, 1.10.5 and 1.8.6 (those have been released after fixing this security issue). The security patch can be seen in this git commit: https://github.com/geopython/pycsw/pull/474/files https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch The CVE ID assigned is CVE-2016-8640. Many thanks to the Koordinates team for picking this issue up and to RedHat security team for their help with the CVE. Best regards, Angelos -- Angelos Tzotsos, PhD OSGeo Charter Member http://users.ntua.gr/tzotsos
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.