Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.
For the stable distribution (woody) this problem has been fixed in version 0.5.2-3woody1.
For the unstable distribution (sid) this problem has been fixed in version 0.5.2-7.
We recommend that you update your pam-pgsql package.
MD5 checksums of the listed files are available in the original advisory.