lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 12 Feb 2015 13:12:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2015:048 ] postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:048
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : postgresql
 Date    : February 12, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 postgresql:
 
 Stephen Frost discovered that PostgreSQL incorrectly displayed
 certain values in error messages. An authenticated user could gain
 access to seeing certain values, contrary to expected permissions
 (CVE-2014-8161).
 
 Andres Freund, Peter Geoghegan and Noah Misch discovered that
 PostgreSQL incorrectly handled buffers in to_char functions. An
 authenticated attacker could possibly use this issue to cause
 PostgreSQL to crash, resulting in a denial of service, or possibly
 execute arbitrary code (CVE-2015-0241).
 
 It was discovered that PostgreSQL incorrectly handled memory in the
 pgcrypto extension. An authenticated attacker could possibly use this
 issue to cause PostgreSQL to crash, resulting in a denial of service,
 or possibly execute arbitrary code (CVE-2015-0243).
 
 Emil Lenngren discovered that PostgreSQL incorrectly handled extended
 protocol message reading. An authenticated attacker could possibly
 use this issue to cause PostgreSQL to crash, resulting in a denial
 of service, or possibly inject query messages (CVE-2015-0244).
 
 This advisory provides the latest version of PostgreSQL that is not
 vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244
 http://www.postgresql.org/docs/9.2/static/release-9-2-10.html
 http://www.ubuntu.com/usn/usn-2499-1/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 c7247e9bed1b4546e0ad8b4642a0c4d6  mbs1/x86_64/lib64ecpg9.2_6-9.2.10-1.mbs1.x86_64.rpm
 e201099de82f9e8e506a218bbce83008  mbs1/x86_64/lib64pq9.2_5-9.2.10-1.mbs1.x86_64.rpm
 9c4a352c4efe8229f86d86c9dfe4ca7e  mbs1/x86_64/postgresql9.2-9.2.10-1.mbs1.x86_64.rpm
 ea0dba2757d027a313123de9b9838107  mbs1/x86_64/postgresql9.2-contrib-9.2.10-1.mbs1.x86_64.rpm
 41eed84aa37c1b7f7fe04d4847c9353e  mbs1/x86_64/postgresql9.2-devel-9.2.10-1.mbs1.x86_64.rpm
 1b75d6c7118b01399e5967a19aa4ecd4  mbs1/x86_64/postgresql9.2-docs-9.2.10-1.mbs1.noarch.rpm
 571d8991f01cc05e5e9163bf5d7e2983  mbs1/x86_64/postgresql9.2-pl-9.2.10-1.mbs1.x86_64.rpm
 1d4e7e9458ae38e364550e1e81f1680b  mbs1/x86_64/postgresql9.2-plperl-9.2.10-1.mbs1.x86_64.rpm
 c106d7f63f3f83dd797f1fcec7101b7b  mbs1/x86_64/postgresql9.2-plpgsql-9.2.10-1.mbs1.x86_64.rpm
 3abb3d109b12229f89e1ae2a8f867e4f  mbs1/x86_64/postgresql9.2-plpython-9.2.10-1.mbs1.x86_64.rpm
 22fa1beffab4ca2180f6aa3506f40dc4  mbs1/x86_64/postgresql9.2-pltcl-9.2.10-1.mbs1.x86_64.rpm
 4bd0ab5189b93ac542b2eda0bd9f3b45  mbs1/x86_64/postgresql9.2-server-9.2.10-1.mbs1.x86_64.rpm 
 00c3b26e5a4567cae6d40caf499836ca  mbs1/SRPMS/postgresql9.2-9.2.10-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFU3IqamqjQ0CJFipgRAvITAKDtjC7P+blOE8qdL7HTGKv8h3OaNgCgyies
gblH0pTGn3CX7dPhdYMqcl4=
=QXzy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ