Skip to navigation

Security Advisory Moderate: python-sqlalchemy security update

Advisory: RHSA-2012:0369-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-03-07
Last updated on: 2012-03-07
Affected Products: Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.2)
Red Hat Enterprise Linux Server EUS (v. 6.2.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-0805

Details

An updated python-sqlalchemy package that fixes one security issue is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible,
high-level interface to SQL databases.

It was discovered that SQLAlchemy did not sanitize values for the limit and
offset keywords for SQL select statements. If an application using
SQLAlchemy accepted values for these keywords, and did not filter or
sanitize them before passing them to SQLAlchemy, it could allow an attacker
to perform an SQL injection attack against the application. (CVE-2012-0805)

All users of python-sqlalchemy are advised to upgrade to this updated
package, which contains a patch to correct this issue. All running
applications using SQLAlchemy must be restarted for this update to take
effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
python-sqlalchemy-0.5.5-3.el6_2.src.rpm     MD5: c2f6a48b5de72edf1726df4a54bd6d62
SHA-256: 4b51dec2b2ba690eed9653506e850736ed16e9783990e0d61bc6fe2b6710249a
 
IA-32:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
PPC:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
s390x:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
x86_64:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
Red Hat Enterprise Linux Server AUS (v. 6.2)

SRPMS:
python-sqlalchemy-0.5.5-3.el6_2.src.rpm     MD5: c2f6a48b5de72edf1726df4a54bd6d62
SHA-256: 4b51dec2b2ba690eed9653506e850736ed16e9783990e0d61bc6fe2b6710249a
 
x86_64:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
Red Hat Enterprise Linux Server EUS (v. 6.2.z)

SRPMS:
python-sqlalchemy-0.5.5-3.el6_2.src.rpm     MD5: c2f6a48b5de72edf1726df4a54bd6d62
SHA-256: 4b51dec2b2ba690eed9653506e850736ed16e9783990e0d61bc6fe2b6710249a
 
IA-32:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
PPC:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
s390x:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
x86_64:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
python-sqlalchemy-0.5.5-3.el6_2.src.rpm     MD5: c2f6a48b5de72edf1726df4a54bd6d62
SHA-256: 4b51dec2b2ba690eed9653506e850736ed16e9783990e0d61bc6fe2b6710249a
 
IA-32:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
x86_64:
python-sqlalchemy-0.5.5-3.el6_2.noarch.rpm     MD5: 388344819ad0159d8e7d7d4253e9158d
SHA-256: 233d5873906126aefb51b54f62675edfcc54c0a10f9678b7b0275451cff8c4be
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

783305 - CVE-2012-0805 python-sqlalchemy: SQL injection flaw due to not checking LIMIT input for correct type


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/