Steffen Dettmer wrote:
The problem can be reproduced for example with version 8.1-415 (released 2010-05-11), which still can be downloaded from the official download location (although in `Archived Section'), however this version is included in Linux distributions that are still supported (for example SuSE Linux Enterprise Edition with long-term support).
The SLE11 package claims to be version 8.1. However AFIACS it actually packages 8.2-506. Did you already check whether 8.2-512 has the problem fixed?
[...] Possible fix or workaround:
Do not use PostgreSQL JDBC driver version 8.1 but upgrade to most recent version. If the distribution offers no suited package (RPM), driver should be downloaded from jdbc.postgresql.org and installed manually. This breaks package management consitency but seems to be the smaller issue.
Actually better complain to the security team of the distro first and ask why there is no update :-) In this case noone knew that there is an SQL injection and AFAICT upstream didn't flag any updates as security relevant so no CVE assigned either. cu Ludwig PS: better use security@suse.de to reach the SUSE security team. opensuse-security@opensuse.org is a discussion list. -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org