[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041027005220.GB17248@box79162.elkhouse.de>
Date: Wed, 27 Oct 2004 02:52:20 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [USN-6-1] postgresql contributed script vulnerability
===========================================================
Ubuntu Security Notice USN-6-1 October 27, 2004
postgresql contributed script vulnerability
CAN-2004-0977
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
postgresql-contrib
The problem can be corrected by upgrading the affected package to
version 7.4.5-3ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Recently, Trustix Secure Linux discovered a vulnerability in the
postgresql-contrib package. The script "make_oidjoins_check" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the script.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1.diff.gz
Size/MD5: 143783 c495929ea0fc6a9ac76a4a318fae9b38
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1.dsc
Size/MD5: 991 57b900c5dd1cb46018a1d1b8a1703843
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5.orig.tar.gz
Size/MD5: 9895913 a295885a36ed8e7ec7a7e887218ceabc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.5-3ubuntu0.1_all.deb
Size/MD5: 2256072 bc27bf88bbeb8e48a244ff07889690fb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 206430 0bf48a64b875a7f62d199fcbcfd15868
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 90780 bb0bf3a95db87d24bc09b70b166c1686
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 48450 a2bbc09533df18d88a4a8984b02b844b
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 73368 e995a24d0d7fb38151ef77ed06630ea5
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 115188 7106129242b6c1eea15cef9b3e149965
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 517770 eb0014fccd13a6668056f5620f7c1db3
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 623944 ca57aab9997fa1f619d8b257be29634d
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 508962 a61e04bfb35a42ca7faf48b602517645
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_amd64.deb
Size/MD5: 3878578 20d8925f55cf68d04e87cf6f05625a74
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 194420 dc645be2413d04699dd0dc37bacdca19
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 85264 bebcf0c0ab005c6dd3ff9ca46282244d
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 47448 2e334a19e706b343f0186b0afee4c954
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 70206 d38801e50bfc8bdf4402c64ee241e762
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 108438 ce23e38441996361d7573c8e7a652b2f
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 491670 0a54412df188ed54f5f4331ab235b71e
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 577362 96f5bc3c30a3efddf741c83aa2b56643
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 502156 6cc53cd4c38641cde7c017e218761553
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_i386.deb
Size/MD5: 3702896 d632bf282f90496751e68c6348325e54
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 202658 c8a016eb2704ea7b1538701dbd52c0ce
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 92310 dd784727ab126f7141de8f0678c055d3
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 48196 35fed4247f755990b7fd196b13ade911
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 76860 095cd9b8116a8506e50239e49ae3c3ea
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 109532 c03e2eb196b0d164aac2b33a8ae2338a
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 510522 6f2f1f862b0b20d41ea826cacdb0ba02
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 636080 9ddc79b08843dd4187492d57ff47485a
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 505654 b1f0f3b894104bfd6f467c046fa7c64e
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_powerpc.deb
Size/MD5: 4102462 b1530136e964f8c547419d4bb80a5399
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
--
ubuntu-security-announce mailing list
ubuntu-security-announce@...ts.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Powered by blists - more mailing lists