lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Mt4gb-0004YB-Oi@titan.mandriva.com>
Date: Wed, 30 Sep 2009 21:18:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:177 ] postgresql


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:177
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postgresql
 Date    : September 30, 2009
 Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
 cause a denial of service (backend shutdown) by re-LOAD-ing libraries
 from a certain plugins directory (CVE-2009-3229).
 
 The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22,
 and 7.4 before 7.4.26 does not use the appropriate privileges for
 the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
 which allows remote authenticated users to gain privileges.  NOTE:
 this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230).
 
 The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
 before 8.2.14, when using LDAP authentication with anonymous binds,
 allows remote attackers to bypass authentication via an empty password
 (CVE-2009-3231).
 
 This update provides a fix for this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 b5017d0c83a9a1b66c9a056229fcdb37  2008.1/i586/libecpg8.3_6-8.3.8-0.1mdv2008.1.i586.rpm
 5908c494fb2cb789c4b63a816df0dcc5  2008.1/i586/libpq8.3_5-8.3.8-0.1mdv2008.1.i586.rpm
 5f22a2ced45873160c8d254c5e01c820  2008.1/i586/postgresql8.3-8.3.8-0.1mdv2008.1.i586.rpm
 81238ffe7862521797586a163a5fbd96  2008.1/i586/postgresql8.3-contrib-8.3.8-0.1mdv2008.1.i586.rpm
 af8025b240aa501d403be90f15072360  2008.1/i586/postgresql8.3-devel-8.3.8-0.1mdv2008.1.i586.rpm
 0dba594a1c66baa7713e0ec515a7c13e  2008.1/i586/postgresql8.3-docs-8.3.8-0.1mdv2008.1.i586.rpm
 87a2573159c9007789c43c485c0cd47d  2008.1/i586/postgresql8.3-pl-8.3.8-0.1mdv2008.1.i586.rpm
 1a3b9e0321e5dbd5dc02a229c0b7e398  2008.1/i586/postgresql8.3-plperl-8.3.8-0.1mdv2008.1.i586.rpm
 94cd176198e69822bb579ec67bb91a32  2008.1/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2008.1.i586.rpm
 b7ccbfdcd746a2322c475755de09080d  2008.1/i586/postgresql8.3-plpython-8.3.8-0.1mdv2008.1.i586.rpm
 d33709fca3bd26df1219fc08ddde91ab  2008.1/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2008.1.i586.rpm
 51e362a6e40c6b747fdaa51326ddc612  2008.1/i586/postgresql8.3-server-8.3.8-0.1mdv2008.1.i586.rpm 
 e83def99ca0f4f24fb850e3d194b9a70  2008.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 926b69537a47a1336aacd4a1451c4bb4  2008.1/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2008.1.x86_64.rpm
 d20c7efda05a7e3a4b23d8536b3a4b8e  2008.1/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2008.1.x86_64.rpm
 db1b38994b24a444aa700414526b3886  2008.1/x86_64/postgresql8.3-8.3.8-0.1mdv2008.1.x86_64.rpm
 044cd79ddc2991c705563b413f4b6dcf  2008.1/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2008.1.x86_64.rpm
 da8eaa6eb5135f7c9a03194ab34b7106  2008.1/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2008.1.x86_64.rpm
 5ce7870b488a557897e874cb09810f6b  2008.1/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2008.1.x86_64.rpm
 48f1812a1abcbb9abdc2b7bdf082a7e8  2008.1/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2008.1.x86_64.rpm
 3a855f4170eb3706f4d7d967712ddd74  2008.1/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2008.1.x86_64.rpm
 8f65506827c25689f7478abf10ce7966  2008.1/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2008.1.x86_64.rpm
 eafcbb13012357f019eaaf0540286aed  2008.1/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2008.1.x86_64.rpm
 333cc07831ca4df64daba83be97ef4a8  2008.1/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2008.1.x86_64.rpm
 63ebd9f30146fab175cbb84b2039dcec  2008.1/x86_64/postgresql8.3-server-8.3.8-0.1mdv2008.1.x86_64.rpm 
 e83def99ca0f4f24fb850e3d194b9a70  2008.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 616355e60c6a0ae1c1b13d9bb977d06c  2009.0/i586/libecpg8.3_6-8.3.8-0.1mdv2009.0.i586.rpm
 5aa23c918264c2ac26f20199fbf6bb2b  2009.0/i586/libpq8.3_5-8.3.8-0.1mdv2009.0.i586.rpm
 39a0b73741c5ad11ef570b11605a4fa0  2009.0/i586/postgresql8.3-8.3.8-0.1mdv2009.0.i586.rpm
 ed07d63649518a3a8053b5091862c9a7  2009.0/i586/postgresql8.3-contrib-8.3.8-0.1mdv2009.0.i586.rpm
 bf84bae38eb5768cb4051d553e80982d  2009.0/i586/postgresql8.3-devel-8.3.8-0.1mdv2009.0.i586.rpm
 047cb21a5674ea58a3924c20fcad117b  2009.0/i586/postgresql8.3-docs-8.3.8-0.1mdv2009.0.i586.rpm
 539798b51f3ee86cefeab006bfcc70fa  2009.0/i586/postgresql8.3-pl-8.3.8-0.1mdv2009.0.i586.rpm
 4bc62c256c07c960f5423815ba8e2ae7  2009.0/i586/postgresql8.3-plperl-8.3.8-0.1mdv2009.0.i586.rpm
 0a0c6ace539294844c6f2b410142977d  2009.0/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.0.i586.rpm
 03c254dd91a7ca533085334c0cf2dd4c  2009.0/i586/postgresql8.3-plpython-8.3.8-0.1mdv2009.0.i586.rpm
 b694a5488571acbdd27f26ec34b297fc  2009.0/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2009.0.i586.rpm
 370e4bcdbf09dd96013afab70bcb4e71  2009.0/i586/postgresql8.3-server-8.3.8-0.1mdv2009.0.i586.rpm 
 b1066edfe108bba402c8741b7d16b06a  2009.0/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 87b6a10fd9d63ff807b97f611897b06e  2009.0/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2009.0.x86_64.rpm
 3b4729a637267ce25faa9b5ba37ec370  2009.0/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2009.0.x86_64.rpm
 1e7d011128c66de5dd63303d6b29cfaf  2009.0/x86_64/postgresql8.3-8.3.8-0.1mdv2009.0.x86_64.rpm
 1a56b216a951641668605950e9ff3b9c  2009.0/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2009.0.x86_64.rpm
 3aa414098b52ca1f6f667d134f3cc5c8  2009.0/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2009.0.x86_64.rpm
 5049296f31db70095cf7db1a9bb13b26  2009.0/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2009.0.x86_64.rpm
 3f8b282706090a4c072a38678946b424  2009.0/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2009.0.x86_64.rpm
 822d1396a5a74f7ef2706fe8e5ec8058  2009.0/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2009.0.x86_64.rpm
 12ee585ccd1d82c7c486ab47bbc044f9  2009.0/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.0.x86_64.rpm
 9f5510cd512ce7af37312caf57c7969c  2009.0/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2009.0.x86_64.rpm
 4daec64b7781d4fedae75ef88bf27aeb  2009.0/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2009.0.x86_64.rpm
 31ebe7ccc64dc1d42a9f7b318ccdfca0  2009.0/x86_64/postgresql8.3-server-8.3.8-0.1mdv2009.0.x86_64.rpm 
 b1066edfe108bba402c8741b7d16b06a  2009.0/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 526e5750ba002cd6a654707abf600f9f  2009.1/i586/libecpg8.3_6-8.3.8-0.1mdv2009.1.i586.rpm
 953b5751953b6114f2f41c2122cd5ce2  2009.1/i586/libpq8.3_5-8.3.8-0.1mdv2009.1.i586.rpm
 4df5ac17343eb23656ea157f0b6f805e  2009.1/i586/postgresql8.3-8.3.8-0.1mdv2009.1.i586.rpm
 88cf9065caf99aed0766721c23c41d59  2009.1/i586/postgresql8.3-contrib-8.3.8-0.1mdv2009.1.i586.rpm
 c70779d73373308234d8f734311df3b1  2009.1/i586/postgresql8.3-devel-8.3.8-0.1mdv2009.1.i586.rpm
 9c1a64eb454eafd102f0a919de7ee9eb  2009.1/i586/postgresql8.3-docs-8.3.8-0.1mdv2009.1.i586.rpm
 b93a5b54b9263227502b82f1522bfaf5  2009.1/i586/postgresql8.3-pl-8.3.8-0.1mdv2009.1.i586.rpm
 cfa81a96292e99a21d02396568be1a78  2009.1/i586/postgresql8.3-plperl-8.3.8-0.1mdv2009.1.i586.rpm
 2633ba0029dc0afaa15c411d62ce2cd9  2009.1/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.1.i586.rpm
 8b260a447f41d28f556a3ba970df5e38  2009.1/i586/postgresql8.3-plpython-8.3.8-0.1mdv2009.1.i586.rpm
 d34986de3063374cb2c7f4b3f4f5dafe  2009.1/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2009.1.i586.rpm
 54ba81e3dd14b3ab3d2017b2a24c8139  2009.1/i586/postgresql8.3-server-8.3.8-0.1mdv2009.1.i586.rpm 
 ffa3a216d78c9779da5c02e1af4c0497  2009.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 a371f35fd687c4f32b9c02c7d440953f  2009.1/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2009.1.x86_64.rpm
 18f8fc97219eeb8c6cc6f9a73c2e9b9c  2009.1/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2009.1.x86_64.rpm
 a79b95834508c4b19e90675ee0b27844  2009.1/x86_64/postgresql8.3-8.3.8-0.1mdv2009.1.x86_64.rpm
 0c079ae4302522705b086ac1627b6cb7  2009.1/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2009.1.x86_64.rpm
 c4b7cfb05330e682b58a2358e89b594a  2009.1/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2009.1.x86_64.rpm
 85aefe725e17ac3a873d8b8efcfeb62f  2009.1/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2009.1.x86_64.rpm
 6e40e887d384de839e8989f69bac0670  2009.1/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2009.1.x86_64.rpm
 00f92e1ad356483bcc4b1fcb3b3b4f06  2009.1/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2009.1.x86_64.rpm
 832e81e2cfe60a6fd0e3a3d118ce705b  2009.1/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.1.x86_64.rpm
 ebb08f90a8882e61fb1285d709080991  2009.1/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2009.1.x86_64.rpm
 752752f2386edfba9a52a1787f5b27d1  2009.1/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2009.1.x86_64.rpm
 c71bc74a9a805954c1da5b38943f34ca  2009.1/x86_64/postgresql8.3-server-8.3.8-0.1mdv2009.1.x86_64.rpm 
 ffa3a216d78c9779da5c02e1af4c0497  2009.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 29970ac806e4b259b333938efeeacb82  mes5/i586/libecpg8.3_6-8.3.8-0.1mdvmes5.i586.rpm
 e02dd867b4a8c86c84a274550642ab35  mes5/i586/libpq8.3_5-8.3.8-0.1mdvmes5.i586.rpm
 b831fd0e4efd38ffb967a6313111269a  mes5/i586/postgresql8.3-8.3.8-0.1mdvmes5.i586.rpm
 c2b04fe9655295fb7bcc28f9edf656a6  mes5/i586/postgresql8.3-contrib-8.3.8-0.1mdvmes5.i586.rpm
 60ef3dde80a4fc33ba4df9ee5ef980ec  mes5/i586/postgresql8.3-devel-8.3.8-0.1mdvmes5.i586.rpm
 d9237a2d2625074ee058d56b066e092b  mes5/i586/postgresql8.3-docs-8.3.8-0.1mdvmes5.i586.rpm
 c7bc19a3237a8b392360317bb99088e8  mes5/i586/postgresql8.3-pl-8.3.8-0.1mdvmes5.i586.rpm
 e944b6e22ec7f5bae6eed7d91cd36ae2  mes5/i586/postgresql8.3-plperl-8.3.8-0.1mdvmes5.i586.rpm
 bb3d4a0311cd1b09f9767aad1fc0dc8e  mes5/i586/postgresql8.3-plpgsql-8.3.8-0.1mdvmes5.i586.rpm
 1771904f2124739d8f2df7b89a015959  mes5/i586/postgresql8.3-plpython-8.3.8-0.1mdvmes5.i586.rpm
 179379e611ed160faf8af70b68e8483b  mes5/i586/postgresql8.3-pltcl-8.3.8-0.1mdvmes5.i586.rpm
 50bea687abe218f8dfacacdd81613c7f  mes5/i586/postgresql8.3-server-8.3.8-0.1mdvmes5.i586.rpm 
 8cb595899b3dc096d50767d7cc21ebeb  mes5/SRPMS/postgresql8.3-8.3.8-0.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 b5e75dde605214fffa43185165921f67  mes5/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdvmes5.x86_64.rpm
 655eeba7985cd2b3ad76141ad3d6f976  mes5/x86_64/lib64pq8.3_5-8.3.8-0.1mdvmes5.x86_64.rpm
 1212ad73c6b771851d7d37d080b3e658  mes5/x86_64/postgresql8.3-8.3.8-0.1mdvmes5.x86_64.rpm
 4ac7def1caa8e48ff8f7b6b5f744688b  mes5/x86_64/postgresql8.3-contrib-8.3.8-0.1mdvmes5.x86_64.rpm
 44470cf19d02668348a0a492fdc9af37  mes5/x86_64/postgresql8.3-devel-8.3.8-0.1mdvmes5.x86_64.rpm
 ad77504a7e5d08913e7de8f351b380ff  mes5/x86_64/postgresql8.3-docs-8.3.8-0.1mdvmes5.x86_64.rpm
 75b06e5c7a2a0c321ab771ce7dd99bd9  mes5/x86_64/postgresql8.3-pl-8.3.8-0.1mdvmes5.x86_64.rpm
 a618a9f6b4686a9b1e3fdef7edf438a7  mes5/x86_64/postgresql8.3-plperl-8.3.8-0.1mdvmes5.x86_64.rpm
 d501f94d06dad161c8dba9f1794698d0  mes5/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdvmes5.x86_64.rpm
 ce36a6e7624bb12c0144a1268d492ba9  mes5/x86_64/postgresql8.3-plpython-8.3.8-0.1mdvmes5.x86_64.rpm
 6888902d0315b01a22fa72a351eb7e4f  mes5/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdvmes5.x86_64.rpm
 227bc3f0d58acea037f68caef1bca403  mes5/x86_64/postgresql8.3-server-8.3.8-0.1mdvmes5.x86_64.rpm 
 8cb595899b3dc096d50767d7cc21ebeb  mes5/SRPMS/postgresql8.3-8.3.8-0.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKw4E6mqjQ0CJFipgRApKzAKCOxuZ4KKkRhfbiHxUZtWwF876BgACg2nlk
7OK5CwX9f5YzWv6QZl+zh10=
=00ge
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ