CVE-2015-3427
Published: 14 May 2015
Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422.
Notes
Author | Note |
---|---|
tyhicks | Requires Quassel IRC before 0.9.1 and QT 4.8.5 or newer |
Priority
Status
Package | Release | Status |
---|---|---|
quassel Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Not vulnerable
(QT 4.8.1)
|
|
trusty |
Released
(0.10.0-0ubuntu2.2)
|
|
upstream |
Needed
|
|
utopic |
Released
(0.10.1-0ubuntu1.2)
|
|
vivid |
Released
(0.12.2-0ubuntu0.1)
|
|
Patches: upstream: https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 |