lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44039F94.701@videotron.ca>
Date: Mon, 27 Feb 2006 19:55:48 -0500
From: Marc Deslauriers <marcdeslauriers@...eotron.ca>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [FLSA-2006:157366] Updated PostgreSQL packages
	fix security issues

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated PostgreSQL packages fix security issues
Advisory ID:       FLSA:157366
Issue date:        2006-02-27
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CVE-2005-1409 CVE-2005-1410
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated postgresql packages that fix several security vulnerabilities
and risks of data loss are now available.

PostgreSQL is an advanced Object-Relational database management system
(DBMS) that supports almost all SQL constructs (including
transactions, subselects and user-defined types and functions).

2. Relevant releases/architectures:

Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

The PostgreSQL community discovered two distinct errors in initial
system catalog entries that could allow authorized database users to
crash the database and possibly escalate their privileges. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
names CVE-2005-1409 and CVE-2005-1410 to these issues.

Although installing this update will protect new (freshly initdb'd)
database installations from these errors, administrators MUST TAKE
MANUAL ACTION to repair the errors in pre-existing databases. The
appropriate procedures are explained at
http://www.postgresql.org/docs/8.0/static/release-7-4-8.html
for Fedora Core 2 users, or
http://www.postgresql.org/docs/8.0/static/release-7-3-10.html
for Fedora Core 1 and Red Hat Linux 9 users.

This update also includes fixes for several other errors, including two
race conditions that could result in apparent data inconsistency or
actual data loss.

All users of PostgreSQL are advised to upgrade to these updated packages
and to apply the recommended manual corrections to existing databases.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366

6. RPMs required:

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm

7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

88bf97be3530effdf1c7c3a779bfe7f80e7ea6be
redhat/9/updates/i386/postgresql-7.3.10-0.90.1.legacy.i386.rpm
6130777335db38d64a44d52106353cd76154ca23
redhat/9/updates/i386/postgresql-contrib-7.3.10-0.90.1.legacy.i386.rpm
4bce5f9e6e80edb944a7aa24839f34c609c44c99
redhat/9/updates/i386/postgresql-devel-7.3.10-0.90.1.legacy.i386.rpm
f6d7a63730df0a33b4f7582077472bf8cecc0f4e
redhat/9/updates/i386/postgresql-docs-7.3.10-0.90.1.legacy.i386.rpm
3f76bb95ef0ce2da9b6a58993cdf7a1000e33019
redhat/9/updates/i386/postgresql-jdbc-7.3.10-0.90.1.legacy.i386.rpm
a7a9187c41f2820ca9c2d2364f63859d33d21044
redhat/9/updates/i386/postgresql-libs-7.3.10-0.90.1.legacy.i386.rpm
0d0e4d4e566583111f30f4c06f255daeaf9bbd49
redhat/9/updates/i386/postgresql-pl-7.3.10-0.90.1.legacy.i386.rpm
def9d9581141c219e013a875146c75b65af67e91
redhat/9/updates/i386/postgresql-python-7.3.10-0.90.1.legacy.i386.rpm
43590dabe9601ddbefbc6d9086c9b7dfb363acaa
redhat/9/updates/i386/postgresql-server-7.3.10-0.90.1.legacy.i386.rpm
e4769b82d862178d6d395f52ebcbd56a75e36e71
redhat/9/updates/i386/postgresql-tcl-7.3.10-0.90.1.legacy.i386.rpm
fbd07e5eaad5e4ee5bd1b30e02001a043331daff
redhat/9/updates/i386/postgresql-test-7.3.10-0.90.1.legacy.i386.rpm
57fc00132f9d66263729566666fd1eba3d7a9d2f
redhat/9/updates/SRPMS/postgresql-7.3.10-0.90.1.legacy.src.rpm

de59e42459e24cd8846fbd6d765bc892d621a0dc
fedora/1/updates/i386/postgresql-7.3.10-1.1.legacy.i386.rpm
88abba3e24f01c6189be15b6481d77b135b6191c
fedora/1/updates/i386/postgresql-contrib-7.3.10-1.1.legacy.i386.rpm
39a6163dffc299ba088f8f71c0393fca08648ae9
fedora/1/updates/i386/postgresql-devel-7.3.10-1.1.legacy.i386.rpm
0ac78a44e03f5b31113b7b110d35472aded5ecbd
fedora/1/updates/i386/postgresql-docs-7.3.10-1.1.legacy.i386.rpm
e8a17936599c1c2aa7a26056ee3449e43a460d07
fedora/1/updates/i386/postgresql-jdbc-7.3.10-1.1.legacy.i386.rpm
421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9
fedora/1/updates/i386/postgresql-libs-7.3.10-1.1.legacy.i386.rpm
f79b142305ab70af54594478e248830edfdb8247
fedora/1/updates/i386/postgresql-pl-7.3.10-1.1.legacy.i386.rpm
ab86d2fbf57b470934131cb78916117fdf177a4d
fedora/1/updates/i386/postgresql-python-7.3.10-1.1.legacy.i386.rpm
71c2abb0a89a19fa88eaa3a22048062ea4d938f3
fedora/1/updates/i386/postgresql-server-7.3.10-1.1.legacy.i386.rpm
92e2b78d179c4aa378875b6ab42c488cad6b44c7
fedora/1/updates/i386/postgresql-tcl-7.3.10-1.1.legacy.i386.rpm
44a3837dd2f7ae68790637be50fe1f29b8d86814
fedora/1/updates/i386/postgresql-test-7.3.10-1.1.legacy.i386.rpm
de79d4182b566ec3c4a623cd26c51af2e8938ffb
fedora/1/updates/SRPMS/postgresql-7.3.10-1.1.legacy.src.rpm

0046d088278b0c08740222a41ca511d0c0fa3d99
fedora/2/updates/i386/postgresql-7.4.8-1.FC2.1.legacy.i386.rpm
184dd4304908b60a216f3be9f0756fde449c729e
fedora/2/updates/i386/postgresql-contrib-7.4.8-1.FC2.1.legacy.i386.rpm
8ae68e66295eddb1936c31fe15cf95662db4b345
fedora/2/updates/i386/postgresql-devel-7.4.8-1.FC2.1.legacy.i386.rpm
7e547b6ee8c0e1b06bc803aa45086971158ced10
fedora/2/updates/i386/postgresql-docs-7.4.8-1.FC2.1.legacy.i386.rpm
646cba1375fa3548aff2a791035f5eacb7927869
fedora/2/updates/i386/postgresql-jdbc-7.4.8-1.FC2.1.legacy.i386.rpm
642feb043c19a5584f60ef45713bf8249c689216
fedora/2/updates/i386/postgresql-libs-7.4.8-1.FC2.1.legacy.i386.rpm
6955df9f381e1683d1d79aa779f5f295e74e2b68
fedora/2/updates/i386/postgresql-pl-7.4.8-1.FC2.1.legacy.i386.rpm
99b1ee5e4c26370d39e52437c10bb9cdcbc5d273
fedora/2/updates/i386/postgresql-python-7.4.8-1.FC2.1.legacy.i386.rpm
167fb15d6f300bd4aaf8a0b080dfa42136ee9f1c
fedora/2/updates/i386/postgresql-server-7.4.8-1.FC2.1.legacy.i386.rpm
62f4e5798b3179a49cbe8c515343a0db4687834b
fedora/2/updates/i386/postgresql-tcl-7.4.8-1.FC2.1.legacy.i386.rpm
1c8feebe8cf8d2ef07cb004b10cd4cf69e654989
fedora/2/updates/i386/postgresql-test-7.4.8-1.FC2.1.legacy.i386.rpm
c2b44a61fdbf644cecccb3edcf78a80dbda9cfa4
fedora/2/updates/SRPMS/postgresql-7.4.8-1.FC2.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1410

9. Contact:

The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ