Sam Varshavchik has released an upgrade to the Courier-Auth daemon, it’s a minor bug fix which solves the following problems:

  • authpgsqllib.c: Use PQescapeStringConn() instead of removing all apostrophes from query parameters. This fixes a potential SQL injection vulnerability if the Postgres database uses a non-Latin locale.
  • Added support for {SSHA}-encrypted passwords. Based on a patch by Zou bin .
  • Added support for {SHA512} hash function.

I’ve tested this release without a problem and my production server is running this version at the moment without a problem.

To upgrade your courier-auth installation read “Upgrading Courier-Auth