A security flaw was found in the way MySQL authentication handler / module of Python WebDAV server performed user authentication. A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted user credentials. Acknowledgements: Red Hat would like to thank Nico Golde of Debian Security Team for reporting this issue. Debian Security Team acknowledges 'Teeed' as the original issue reporter.
This issue affects the versions of the pywebdav package, as shipped with Fedora release of 13 and 14. -- This issue affects the versions of the pywebdav package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.
Public via: http://code.google.com/p/pywebdav/
Created pywebdav tracking bugs for this issue Affects: fedora-all [bug 679338] Affects: epel-5 [bug 679339] Affects: epel-6 [bug 679340]
This was corrected via the following EPEL6 and Fedora builds: pywebdav-0.9.4.1-1.el6 (FEDORA-EPEL-2011-0545) pywebdav-0.9.4.1-1.fc13 (FEDORA-2011-2470) pywebdav-0.9.4.1-1.fc14 (FEDORA-2011-2460) pywebdav-0.9.4.1-1.fc15 (FEDORA-2011-2427) pywebdav-0.9.4.1-1.fc16 EPEL 5 still requires this fix, however.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.