lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061101112340.GI4782@piware.de>
Date: Wed, 1 Nov 2006 12:23:40 +0100
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-369-2] postgresql-8.1 vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-369-2          November 01, 2006
postgresql-8.1 vulnerabilities
CVE-2006-5540, CVE-2006-5541, CVE-2006-5542
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.10:
  postgresql-8.1                           8.1.4-7ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-369-1 fixed three minor PostgreSQL 8.1 vulnerabilities for Ubuntu 6.06 LTS.
This update provides the corresponding update for Ubuntu 6.10.

Original advisory details:

  Michael Fuhr discovered an incorrect type check when handling unknown
  literals. By attempting to coerce such a literal to the ANYARRAY type,
  a local authenticated attacker could cause a server crash. (CVE-2006-5541)
  
  Josh Drake and Alvaro Herrera reported a crash when using aggregate
  functions in UPDATE statements. A local authenticated attacker could
  exploit this to crash the server backend. This update disables this
  construct, since it is not very well defined and forbidden by the SQL
  standard. (CVE-2006-5540)
  
  Sergey Koposov discovered a flaw in the duration logging. This could
  cause a server crash under certain circumstances. (CVE-2006-5542)
  
  Please note that these flaws can usually not be exploited through web
  and other applications that use a database and are exposed to
  untrusted input, so these flaws do not pose a threat in usual setups.


Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1.diff.gz
      Size/MD5:    52401 af21a893e2947a1e467d5e98663031e7
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1.dsc
      Size/MD5:     1176 04b8d59e5fdb061ebc2a0b1e86c4220d
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4.orig.tar.gz
      Size/MD5: 11312643 c6554a0ef948ab2b18b617954e1788fe

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.4-7ubuntu0.1_all.deb
      Size/MD5:  1442056 4263930dd4391fd81944a82c372f3cba

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   152924 5fb69c85456514e2f78072efc3956ec0
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   344912 a34d581ae43ce95f0758f3128d2c07e5
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   173428 733938955a0112fb6fedc835f5456052
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   175450 5412a17f17d49c3090cb7fcbcc136e7b
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   312606 3b5e8a5d6cffa8b48f82575458503d22
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   206680 559c766535f53918647783563d797582
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:  3256168 a0bbda514074cd42271529eb07e94ecd
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   769328 3323f21f5fd11c660e74e0b2a3d480f6
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   619156 08c3d6be3fa11d19eccdbb9986e659d4
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   169362 d5cec1f551207e2e734bf6fab2317ef9
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   163748 b99d7a9fafcfd3e8b616ef1f483c4da9
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   164056 17bb99f0f7ab3edf2391271d64e0feda
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.4-7ubuntu0.1_amd64.deb
      Size/MD5:   596412 1d3f23de9e73e3f3c97b2532d7b4c5c8

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   152234 5ec67e24a0c39547dd1a4594f43c9ba2
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   342026 a3628ec749e0d789575496d8ef383a31
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   172122 21c2f681f5c623d65d8a8a83ca5ee4fe
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   175124 547e40b4cdb2fb8f6c01a443b21a9edb
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   305840 49c8db9e9ee18d99ce45c1b4cc64c3b6
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   202648 e02cd0e97ea04f3ed9808562cdd61b16
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:  3155738 8b8a255cfc36bb6207d4972d30114c4f
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   739926 42db79545ef912384d45a9e321aa7889
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   587552 7b3612cd963fd40b7626f19940f5cc85
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   168202 da95c00f91be43d6c4651144fd5d78ce
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   161630 f781234805909d6efabcd1e0ec42bfc5
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   163002 76e987350cb8feb799663e0b72c77a4f
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.4-7ubuntu0.1_i386.deb
      Size/MD5:   596394 460bfba660947b82c1616353d5171e96

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   153756 f269e9370aa649d122994aa7907104b5
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   339348 af5a24b146f61084c6b94b796d3a653a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   174288 5142ebdd438cf151e0f405ff4855f2dc
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   178260 0d0a813c48e899bb9cff5a41a8398fbd
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   308032 c11439a9a23ead70ddb60fd1b2264003
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   204732 019d45db40122878bd2f64e25b58702f
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:  3555700 d07b565f5be335ff6761da96b7d88f26
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   779658 251e7a8eed17c33eb868dcf0018970d7
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   639686 bea4a0e9f449f75f56554c79f252e9fd
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   169106 16226facd3e893b889cb72eb9e8df42c
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   163948 d9996a974e94652834ca4c1d1df5013d
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   165024 2df3b4f4878f006eec5ce7305672d752
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.4-7ubuntu0.1_powerpc.deb
      Size/MD5:   596432 d35808efc5c022dab90461e0dccfccca

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   151610 d7e6bb8c226664538a41c05bd8efcc80
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   335088 b0309c99b0f904414afaf29e27ef4aa0
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   171724 474c5c7903229f404bc042d00910fe34
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   173454 dcd4fc4f2550bf80130fb7e1b02da2b4
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   305174 268c509165f58d3ef83491e49cfbdda2
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   201412 d5e3d6dcca7b83ba18a90da314443c26
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:  3482382 515aaee1feeda7549efb2543cf30b167
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   754506 cc62cd3ba7ecb37f88a0a13abb0c7a49
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   598348 fb2b4f26146e27d75c2ed580f2b59be0
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   167762 69bfb050570fc151fb2d251855ded8f4
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   162366 4a38b861e8eb528bc4e96e1f64b27a04
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   163042 68c9e99678283f3b2cf0f73db8b845e2
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.4-7ubuntu0.1_sparc.deb
      Size/MD5:   596424 5a9b3e7626e3664578060f8292199f62

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ