SB2006070901 - Gentoo update for PostgreSQL
Published: July 9, 2006 Updated: June 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2006-2313)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications via invalid encodings of multibyte characters, aka 1 variant of 'Encoding-Based SQL Injection.'
2) SQL injection (CVE-ID: CVE-2006-2314)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the '' (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of 'Encoding-Based SQL Injection.' NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.
Remediation
Install update from vendor's website.