lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 08 Dec 2009 15:59:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2009:251-1 ] postgresql8.2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:251-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postgresql8.2
 Date    : December 8, 2009
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
 cause a denial of service (backend shutdown) by re-LOAD-ing libraries
 from a certain plugins directory (CVE-2009-3229).
 
 The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22,
 and 7.4 before 7.4.26 does not use the appropriate privileges for
 the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
 which allows remote authenticated users to gain privileges.  NOTE:
 this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230).
 
 The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
 before 8.2.14, when using LDAP authentication with anonymous binds,
 allows remote attackers to bypass authentication via an empty password
 (CVE-2009-3231).
 
 This update provides a fix for this vulnerability.

 Update:

 Packages for 2008.0 are being provided due to extended support for
 Corporate products.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 d292fa6350134d4a694766f78e9b4325  2008.0/i586/libecpg5-8.2.14-0.1mdv2008.0.i586.rpm
 0daf74246739a4ddde59c86d929b2372  2008.0/i586/libecpg-devel-8.2.14-0.1mdv2008.0.i586.rpm
 784dff4bcff24e719808e862dd5be24e  2008.0/i586/libpq5-8.2.14-0.1mdv2008.0.i586.rpm
 6ebbd221cb3f81c2501d60cda66b1ea6  2008.0/i586/libpq-devel-8.2.14-0.1mdv2008.0.i586.rpm
 1f41610e32d2aae4f1456e7263c4fb80  2008.0/i586/postgresql-8.2.14-0.1mdv2008.0.i586.rpm
 ac8ae125c1db24b5748c5ddef09167a4  2008.0/i586/postgresql8.2-8.2.14-0.1mdv2008.0.i586.rpm
 822cbba00ba28bc79d82a9431fe77c48  2008.0/i586/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.i586.rpm
 40d417845c085bf33862ff9584d34c9c  2008.0/i586/postgresql8.2-devel-8.2.14-0.1mdv2008.0.i586.rpm
 77a9c18eb2439dbe49d61013275fe63e  2008.0/i586/postgresql8.2-docs-8.2.14-0.1mdv2008.0.i586.rpm
 db8898ab10b6bad951c8513489856866  2008.0/i586/postgresql8.2-pl-8.2.14-0.1mdv2008.0.i586.rpm
 94a96e92ea757b4f694601a53fe59a00  2008.0/i586/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.i586.rpm
 92e0adc727b6ac0af5b11fd6444ccd51  2008.0/i586/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.i586.rpm
 aa8c2ac2de6f42d975596c93a92b54c7  2008.0/i586/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.i586.rpm
 1b7ea7658c8326573a61bd8aafce82e6  2008.0/i586/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.i586.rpm
 d6d5489c5c953b08e55ece1f11068276  2008.0/i586/postgresql8.2-server-8.2.14-0.1mdv2008.0.i586.rpm
 c6dbc8d2bd9e89daf50df8c53306c552  2008.0/i586/postgresql8.2-test-8.2.14-0.1mdv2008.0.i586.rpm
 9e2d3a8100029961f2d48631b69e389b  2008.0/i586/postgresql-devel-8.2.14-0.1mdv2008.0.i586.rpm 
 169fe8a23affe4f6c32e503655e628ec  2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 3617079ee527bd87a16d2bfdf1a525f4  2008.0/x86_64/lib64ecpg5-8.2.14-0.1mdv2008.0.x86_64.rpm
 8f3868b40025a5d2ccaf6adfaba893c5  2008.0/x86_64/lib64ecpg-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
 85acc8c26019a0d0c64e5ce9a3eda592  2008.0/x86_64/lib64pq5-8.2.14-0.1mdv2008.0.x86_64.rpm
 377613037ed6ded2ce9ca0007c923021  2008.0/x86_64/lib64pq-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
 c027b9b132e0a656fa4a71b0bc9fde09  2008.0/x86_64/postgresql-8.2.14-0.1mdv2008.0.x86_64.rpm
 bc47a41f53cd99caad122d273984b867  2008.0/x86_64/postgresql8.2-8.2.14-0.1mdv2008.0.x86_64.rpm
 3121292bc31043d7dcb3741569287e3a  2008.0/x86_64/postgresql8.2-contrib-8.2.14-0.1mdv2008.0.x86_64.rpm
 0a90bd386286aab79ee109cb1a939ed9  2008.0/x86_64/postgresql8.2-devel-8.2.14-0.1mdv2008.0.x86_64.rpm
 c6a926f25f2829b5600269f4389db041  2008.0/x86_64/postgresql8.2-docs-8.2.14-0.1mdv2008.0.x86_64.rpm
 7793e59a09073e79e694019dd8c52d94  2008.0/x86_64/postgresql8.2-pl-8.2.14-0.1mdv2008.0.x86_64.rpm
 a4b52cfd8044f8539af51ed9b437c224  2008.0/x86_64/postgresql8.2-plperl-8.2.14-0.1mdv2008.0.x86_64.rpm
 b93075904d8a93824b9d9399764e5cd6  2008.0/x86_64/postgresql8.2-plpgsql-8.2.14-0.1mdv2008.0.x86_64.rpm
 ed1710b7151eaabdf5b3a50821a36a69  2008.0/x86_64/postgresql8.2-plpython-8.2.14-0.1mdv2008.0.x86_64.rpm
 177f45106d6d4c37589adfb530a58952  2008.0/x86_64/postgresql8.2-pltcl-8.2.14-0.1mdv2008.0.x86_64.rpm
 643e2a7589151441ba1ed6e77b503654  2008.0/x86_64/postgresql8.2-server-8.2.14-0.1mdv2008.0.x86_64.rpm
 cae199802e9634b3a4df94a8f7222376  2008.0/x86_64/postgresql8.2-test-8.2.14-0.1mdv2008.0.x86_64.rpm
 436e154d88a7ba97575b9614506f9fee  2008.0/x86_64/postgresql-devel-8.2.14-0.1mdv2008.0.x86_64.rpm 
 169fe8a23affe4f6c32e503655e628ec  2008.0/SRPMS/postgresql8.2-8.2.14-0.1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLHj5GmqjQ0CJFipgRAuYZAKDWgA8C/TBq4QdnflpEz1wOhfdb8QCg3GpO
aNp5EUBLnzsVel0r71Hxfsw=
=LQGp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists