=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN610
_____________________________________________________________________

DATE                      : 22/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running courier-authlib versions
                                  prior to 0.62.0.

======================================================================
http://www.nabble.com/courier-authlib-0.62.0-released-td21072217.html
______________________________________________________________________

courier-authlib 0.62.0 released

by Sam Varshavchik

Download: http://www.courier-mta.org/download.php#authlib

This release adds support for additional hash functions, and an update to
the Postgres driver that removes potentional SQL injection vulnerabilities
in some circumstances.

* authpgsqllib.c: Use PQescapeStringConn() instead of removing all
apostrophes from query parameters. This fixes a potential SQL injection
vulnerability if the Postgres database uses a non-Latin locale.

* Added support for {SSHA}-encrypted passwords. Based on a patch by Zou bin
<zb@...>.

* Added support for {SHA512} hash function.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================