lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041027005220.GB17248@box79162.elkhouse.de>
Date: Wed, 27 Oct 2004 02:52:20 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [USN-6-1] postgresql contributed script vulnerability

===========================================================
Ubuntu Security Notice USN-6-1             October 27, 2004
postgresql contributed script vulnerability
CAN-2004-0977
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

postgresql-contrib

The problem can be corrected by upgrading the affected package to
version 7.4.5-3ubuntu0.1. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Recently, Trustix Secure Linux discovered a vulnerability in the
postgresql-contrib package. The script "make_oidjoins_check" created
temporary files in an insecure way, which allowed a symlink attack to
create or overwrite arbitrary files with the privileges of the user
invoking the script.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1.diff.gz
      Size/MD5:   143783 c495929ea0fc6a9ac76a4a318fae9b38
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1.dsc
      Size/MD5:      991 57b900c5dd1cb46018a1d1b8a1703843
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5.orig.tar.gz
      Size/MD5:  9895913 a295885a36ed8e7ec7a7e887218ceabc

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.5-3ubuntu0.1_all.deb
      Size/MD5:  2256072 bc27bf88bbeb8e48a244ff07889690fb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:   206430 0bf48a64b875a7f62d199fcbcfd15868
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:    90780 bb0bf3a95db87d24bc09b70b166c1686
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:    48450 a2bbc09533df18d88a4a8984b02b844b
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:    73368 e995a24d0d7fb38151ef77ed06630ea5
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:   115188 7106129242b6c1eea15cef9b3e149965
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:   517770 eb0014fccd13a6668056f5620f7c1db3
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:   623944 ca57aab9997fa1f619d8b257be29634d
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:   508962 a61e04bfb35a42ca7faf48b602517645
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_amd64.deb
      Size/MD5:  3878578 20d8925f55cf68d04e87cf6f05625a74

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:   194420 dc645be2413d04699dd0dc37bacdca19
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:    85264 bebcf0c0ab005c6dd3ff9ca46282244d
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:    47448 2e334a19e706b343f0186b0afee4c954
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:    70206 d38801e50bfc8bdf4402c64ee241e762
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:   108438 ce23e38441996361d7573c8e7a652b2f
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:   491670 0a54412df188ed54f5f4331ab235b71e
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:   577362 96f5bc3c30a3efddf741c83aa2b56643
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:   502156 6cc53cd4c38641cde7c017e218761553
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_i386.deb
      Size/MD5:  3702896 d632bf282f90496751e68c6348325e54

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:   202658 c8a016eb2704ea7b1538701dbd52c0ce
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:    92310 dd784727ab126f7141de8f0678c055d3
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:    48196 35fed4247f755990b7fd196b13ade911
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:    76860 095cd9b8116a8506e50239e49ae3c3ea
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:   109532 c03e2eb196b0d164aac2b33a8ae2338a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:   510522 6f2f1f862b0b20d41ea826cacdb0ba02
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:   636080 9ddc79b08843dd4187492d57ff47485a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:   505654 b1f0f3b894104bfd6f467c046fa7c64e
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.1_powerpc.deb
      Size/MD5:  4102462 b1530136e964f8c547419d4bb80a5399

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@...ts.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ