Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Nov 2016 20:45:22 +0200
From: Angelos Tzotsos <gcpp.kalxas@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-8640 pycsw SQL injection issue

Hi,

Some days ago, the pycsw team received a security notice from the 
company Koordinates (thank you) regarding an SQL injection vulnerability 
in pycsw. An exploit of this vulnerability was demonstrated, which is 
able to read and extract any data from any table in the pycsw database 
that the database user has access to. On PostgreSQL (at least) it is 
possible to perform updates/inserts/deletes, and database modifications 
to any table the database user has access to.

The vulnerability affects all previously released pycsw versions except 
2.0.2, 1.10.5 and 1.8.6 (those have been released after fixing this 
security issue).

The security patch can be seen in this git commit:
https://github.com/geopython/pycsw/pull/474/files
https://patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch

The CVE ID assigned is CVE-2016-8640. Many thanks to the Koordinates 
team for picking this issue up and to RedHat security team for their 
help with the CVE.

Best regards,
Angelos


-- 
Angelos Tzotsos, PhD
OSGeo Charter Member
http://users.ntua.gr/tzotsos

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.