[Pam-mysql-general] [ANNOUNCEMENT] pam-mysql 0.6.2 and 0.7pre3 released (security update)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

The PAM-MySQL project has announced the newest versions of the
product are now available for downloads.

The new releases include a couple of crucial security fixes.
Users are strongly encouraged to upgrade to either version immediately.

We apologise for the inconvenience caused by these issues.

Addressed security concerns:

- - Possible segmentation fault in the SQL logging facility, which can
cause Denial-of-Service (DoS).

- - Flaws in the authentication and authentication token alteration code
   where incorrect treatment of the pointer returned by pam_get_item()
   were spotted. They can most likely induce DoS or possibly lead to
   more severe problems.

Changes:

* Changed handling of the "where" option to not escape meta characters
   (PR #1261484). (0.7pre3)
* Overhauled the SQL logging facility (PR #1256243). (0.6.2, 0.7pre3)
* Added logrhostcolumn (log.rhost_column) option that enables you to log
   the value of the "rhost" item specified by the application. (0.7pre3)
* Fixed possible security flaw (though not considered to be severe). 
(0.7pre3)
* Fixed memory leaks spotted when "config_file" option is used. 
(0.7pre3)
* Fixed try_first_pass behaviour. (0.7pre3)
* Changed option parsing behaviour so "=" following each option name is 
not
   needed. (0.7pre3)

You can download either one from the following URL:

http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.6.2.tar.gz
http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7pre3.tar.gz

Regards,
Moriyoshi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iD8DBQFDOuH3Ct6YWtcDG2cRAgOHAKCUhxMCJib4Fe/L/OkcrYAeuvdE4ACgn8rR
0v6Y2S3v2lOe6RmKZPKARcc=
=vigR
-----END PGP SIGNATURE-----