[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Mt4gb-0004YB-Oi@titan.mandriva.com>
Date: Wed, 30 Sep 2009 21:18:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:177 ] postgresql
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:177
http://www.mandriva.com/security/
_______________________________________________________________________
Package : postgresql
Date : September 30, 2009
Affected: 2008.1, 2009.0, 2009.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to
cause a denial of service (backend shutdown) by re-LOAD-ing libraries
from a certain plugins directory (CVE-2009-3229).
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22,
and 7.4 before 7.4.26 does not use the appropriate privileges for
the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations,
which allows remote authenticated users to gain privileges. NOTE:
this is due to an incomplete fix for CVE-2007-6600 (CVE-2009-3230).
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2
before 8.2.14, when using LDAP authentication with anonymous binds,
allows remote attackers to bypass authentication via an empty password
(CVE-2009-3231).
This update provides a fix for this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
b5017d0c83a9a1b66c9a056229fcdb37 2008.1/i586/libecpg8.3_6-8.3.8-0.1mdv2008.1.i586.rpm
5908c494fb2cb789c4b63a816df0dcc5 2008.1/i586/libpq8.3_5-8.3.8-0.1mdv2008.1.i586.rpm
5f22a2ced45873160c8d254c5e01c820 2008.1/i586/postgresql8.3-8.3.8-0.1mdv2008.1.i586.rpm
81238ffe7862521797586a163a5fbd96 2008.1/i586/postgresql8.3-contrib-8.3.8-0.1mdv2008.1.i586.rpm
af8025b240aa501d403be90f15072360 2008.1/i586/postgresql8.3-devel-8.3.8-0.1mdv2008.1.i586.rpm
0dba594a1c66baa7713e0ec515a7c13e 2008.1/i586/postgresql8.3-docs-8.3.8-0.1mdv2008.1.i586.rpm
87a2573159c9007789c43c485c0cd47d 2008.1/i586/postgresql8.3-pl-8.3.8-0.1mdv2008.1.i586.rpm
1a3b9e0321e5dbd5dc02a229c0b7e398 2008.1/i586/postgresql8.3-plperl-8.3.8-0.1mdv2008.1.i586.rpm
94cd176198e69822bb579ec67bb91a32 2008.1/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2008.1.i586.rpm
b7ccbfdcd746a2322c475755de09080d 2008.1/i586/postgresql8.3-plpython-8.3.8-0.1mdv2008.1.i586.rpm
d33709fca3bd26df1219fc08ddde91ab 2008.1/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2008.1.i586.rpm
51e362a6e40c6b747fdaa51326ddc612 2008.1/i586/postgresql8.3-server-8.3.8-0.1mdv2008.1.i586.rpm
e83def99ca0f4f24fb850e3d194b9a70 2008.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
926b69537a47a1336aacd4a1451c4bb4 2008.1/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2008.1.x86_64.rpm
d20c7efda05a7e3a4b23d8536b3a4b8e 2008.1/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2008.1.x86_64.rpm
db1b38994b24a444aa700414526b3886 2008.1/x86_64/postgresql8.3-8.3.8-0.1mdv2008.1.x86_64.rpm
044cd79ddc2991c705563b413f4b6dcf 2008.1/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2008.1.x86_64.rpm
da8eaa6eb5135f7c9a03194ab34b7106 2008.1/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2008.1.x86_64.rpm
5ce7870b488a557897e874cb09810f6b 2008.1/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2008.1.x86_64.rpm
48f1812a1abcbb9abdc2b7bdf082a7e8 2008.1/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2008.1.x86_64.rpm
3a855f4170eb3706f4d7d967712ddd74 2008.1/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2008.1.x86_64.rpm
8f65506827c25689f7478abf10ce7966 2008.1/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2008.1.x86_64.rpm
eafcbb13012357f019eaaf0540286aed 2008.1/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2008.1.x86_64.rpm
333cc07831ca4df64daba83be97ef4a8 2008.1/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2008.1.x86_64.rpm
63ebd9f30146fab175cbb84b2039dcec 2008.1/x86_64/postgresql8.3-server-8.3.8-0.1mdv2008.1.x86_64.rpm
e83def99ca0f4f24fb850e3d194b9a70 2008.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
616355e60c6a0ae1c1b13d9bb977d06c 2009.0/i586/libecpg8.3_6-8.3.8-0.1mdv2009.0.i586.rpm
5aa23c918264c2ac26f20199fbf6bb2b 2009.0/i586/libpq8.3_5-8.3.8-0.1mdv2009.0.i586.rpm
39a0b73741c5ad11ef570b11605a4fa0 2009.0/i586/postgresql8.3-8.3.8-0.1mdv2009.0.i586.rpm
ed07d63649518a3a8053b5091862c9a7 2009.0/i586/postgresql8.3-contrib-8.3.8-0.1mdv2009.0.i586.rpm
bf84bae38eb5768cb4051d553e80982d 2009.0/i586/postgresql8.3-devel-8.3.8-0.1mdv2009.0.i586.rpm
047cb21a5674ea58a3924c20fcad117b 2009.0/i586/postgresql8.3-docs-8.3.8-0.1mdv2009.0.i586.rpm
539798b51f3ee86cefeab006bfcc70fa 2009.0/i586/postgresql8.3-pl-8.3.8-0.1mdv2009.0.i586.rpm
4bc62c256c07c960f5423815ba8e2ae7 2009.0/i586/postgresql8.3-plperl-8.3.8-0.1mdv2009.0.i586.rpm
0a0c6ace539294844c6f2b410142977d 2009.0/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.0.i586.rpm
03c254dd91a7ca533085334c0cf2dd4c 2009.0/i586/postgresql8.3-plpython-8.3.8-0.1mdv2009.0.i586.rpm
b694a5488571acbdd27f26ec34b297fc 2009.0/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2009.0.i586.rpm
370e4bcdbf09dd96013afab70bcb4e71 2009.0/i586/postgresql8.3-server-8.3.8-0.1mdv2009.0.i586.rpm
b1066edfe108bba402c8741b7d16b06a 2009.0/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
87b6a10fd9d63ff807b97f611897b06e 2009.0/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2009.0.x86_64.rpm
3b4729a637267ce25faa9b5ba37ec370 2009.0/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2009.0.x86_64.rpm
1e7d011128c66de5dd63303d6b29cfaf 2009.0/x86_64/postgresql8.3-8.3.8-0.1mdv2009.0.x86_64.rpm
1a56b216a951641668605950e9ff3b9c 2009.0/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2009.0.x86_64.rpm
3aa414098b52ca1f6f667d134f3cc5c8 2009.0/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2009.0.x86_64.rpm
5049296f31db70095cf7db1a9bb13b26 2009.0/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2009.0.x86_64.rpm
3f8b282706090a4c072a38678946b424 2009.0/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2009.0.x86_64.rpm
822d1396a5a74f7ef2706fe8e5ec8058 2009.0/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2009.0.x86_64.rpm
12ee585ccd1d82c7c486ab47bbc044f9 2009.0/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.0.x86_64.rpm
9f5510cd512ce7af37312caf57c7969c 2009.0/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2009.0.x86_64.rpm
4daec64b7781d4fedae75ef88bf27aeb 2009.0/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2009.0.x86_64.rpm
31ebe7ccc64dc1d42a9f7b318ccdfca0 2009.0/x86_64/postgresql8.3-server-8.3.8-0.1mdv2009.0.x86_64.rpm
b1066edfe108bba402c8741b7d16b06a 2009.0/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
526e5750ba002cd6a654707abf600f9f 2009.1/i586/libecpg8.3_6-8.3.8-0.1mdv2009.1.i586.rpm
953b5751953b6114f2f41c2122cd5ce2 2009.1/i586/libpq8.3_5-8.3.8-0.1mdv2009.1.i586.rpm
4df5ac17343eb23656ea157f0b6f805e 2009.1/i586/postgresql8.3-8.3.8-0.1mdv2009.1.i586.rpm
88cf9065caf99aed0766721c23c41d59 2009.1/i586/postgresql8.3-contrib-8.3.8-0.1mdv2009.1.i586.rpm
c70779d73373308234d8f734311df3b1 2009.1/i586/postgresql8.3-devel-8.3.8-0.1mdv2009.1.i586.rpm
9c1a64eb454eafd102f0a919de7ee9eb 2009.1/i586/postgresql8.3-docs-8.3.8-0.1mdv2009.1.i586.rpm
b93a5b54b9263227502b82f1522bfaf5 2009.1/i586/postgresql8.3-pl-8.3.8-0.1mdv2009.1.i586.rpm
cfa81a96292e99a21d02396568be1a78 2009.1/i586/postgresql8.3-plperl-8.3.8-0.1mdv2009.1.i586.rpm
2633ba0029dc0afaa15c411d62ce2cd9 2009.1/i586/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.1.i586.rpm
8b260a447f41d28f556a3ba970df5e38 2009.1/i586/postgresql8.3-plpython-8.3.8-0.1mdv2009.1.i586.rpm
d34986de3063374cb2c7f4b3f4f5dafe 2009.1/i586/postgresql8.3-pltcl-8.3.8-0.1mdv2009.1.i586.rpm
54ba81e3dd14b3ab3d2017b2a24c8139 2009.1/i586/postgresql8.3-server-8.3.8-0.1mdv2009.1.i586.rpm
ffa3a216d78c9779da5c02e1af4c0497 2009.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
a371f35fd687c4f32b9c02c7d440953f 2009.1/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdv2009.1.x86_64.rpm
18f8fc97219eeb8c6cc6f9a73c2e9b9c 2009.1/x86_64/lib64pq8.3_5-8.3.8-0.1mdv2009.1.x86_64.rpm
a79b95834508c4b19e90675ee0b27844 2009.1/x86_64/postgresql8.3-8.3.8-0.1mdv2009.1.x86_64.rpm
0c079ae4302522705b086ac1627b6cb7 2009.1/x86_64/postgresql8.3-contrib-8.3.8-0.1mdv2009.1.x86_64.rpm
c4b7cfb05330e682b58a2358e89b594a 2009.1/x86_64/postgresql8.3-devel-8.3.8-0.1mdv2009.1.x86_64.rpm
85aefe725e17ac3a873d8b8efcfeb62f 2009.1/x86_64/postgresql8.3-docs-8.3.8-0.1mdv2009.1.x86_64.rpm
6e40e887d384de839e8989f69bac0670 2009.1/x86_64/postgresql8.3-pl-8.3.8-0.1mdv2009.1.x86_64.rpm
00f92e1ad356483bcc4b1fcb3b3b4f06 2009.1/x86_64/postgresql8.3-plperl-8.3.8-0.1mdv2009.1.x86_64.rpm
832e81e2cfe60a6fd0e3a3d118ce705b 2009.1/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdv2009.1.x86_64.rpm
ebb08f90a8882e61fb1285d709080991 2009.1/x86_64/postgresql8.3-plpython-8.3.8-0.1mdv2009.1.x86_64.rpm
752752f2386edfba9a52a1787f5b27d1 2009.1/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdv2009.1.x86_64.rpm
c71bc74a9a805954c1da5b38943f34ca 2009.1/x86_64/postgresql8.3-server-8.3.8-0.1mdv2009.1.x86_64.rpm
ffa3a216d78c9779da5c02e1af4c0497 2009.1/SRPMS/postgresql8.3-8.3.8-0.1mdv2009.1.src.rpm
Mandriva Enterprise Server 5:
29970ac806e4b259b333938efeeacb82 mes5/i586/libecpg8.3_6-8.3.8-0.1mdvmes5.i586.rpm
e02dd867b4a8c86c84a274550642ab35 mes5/i586/libpq8.3_5-8.3.8-0.1mdvmes5.i586.rpm
b831fd0e4efd38ffb967a6313111269a mes5/i586/postgresql8.3-8.3.8-0.1mdvmes5.i586.rpm
c2b04fe9655295fb7bcc28f9edf656a6 mes5/i586/postgresql8.3-contrib-8.3.8-0.1mdvmes5.i586.rpm
60ef3dde80a4fc33ba4df9ee5ef980ec mes5/i586/postgresql8.3-devel-8.3.8-0.1mdvmes5.i586.rpm
d9237a2d2625074ee058d56b066e092b mes5/i586/postgresql8.3-docs-8.3.8-0.1mdvmes5.i586.rpm
c7bc19a3237a8b392360317bb99088e8 mes5/i586/postgresql8.3-pl-8.3.8-0.1mdvmes5.i586.rpm
e944b6e22ec7f5bae6eed7d91cd36ae2 mes5/i586/postgresql8.3-plperl-8.3.8-0.1mdvmes5.i586.rpm
bb3d4a0311cd1b09f9767aad1fc0dc8e mes5/i586/postgresql8.3-plpgsql-8.3.8-0.1mdvmes5.i586.rpm
1771904f2124739d8f2df7b89a015959 mes5/i586/postgresql8.3-plpython-8.3.8-0.1mdvmes5.i586.rpm
179379e611ed160faf8af70b68e8483b mes5/i586/postgresql8.3-pltcl-8.3.8-0.1mdvmes5.i586.rpm
50bea687abe218f8dfacacdd81613c7f mes5/i586/postgresql8.3-server-8.3.8-0.1mdvmes5.i586.rpm
8cb595899b3dc096d50767d7cc21ebeb mes5/SRPMS/postgresql8.3-8.3.8-0.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
b5e75dde605214fffa43185165921f67 mes5/x86_64/lib64ecpg8.3_6-8.3.8-0.1mdvmes5.x86_64.rpm
655eeba7985cd2b3ad76141ad3d6f976 mes5/x86_64/lib64pq8.3_5-8.3.8-0.1mdvmes5.x86_64.rpm
1212ad73c6b771851d7d37d080b3e658 mes5/x86_64/postgresql8.3-8.3.8-0.1mdvmes5.x86_64.rpm
4ac7def1caa8e48ff8f7b6b5f744688b mes5/x86_64/postgresql8.3-contrib-8.3.8-0.1mdvmes5.x86_64.rpm
44470cf19d02668348a0a492fdc9af37 mes5/x86_64/postgresql8.3-devel-8.3.8-0.1mdvmes5.x86_64.rpm
ad77504a7e5d08913e7de8f351b380ff mes5/x86_64/postgresql8.3-docs-8.3.8-0.1mdvmes5.x86_64.rpm
75b06e5c7a2a0c321ab771ce7dd99bd9 mes5/x86_64/postgresql8.3-pl-8.3.8-0.1mdvmes5.x86_64.rpm
a618a9f6b4686a9b1e3fdef7edf438a7 mes5/x86_64/postgresql8.3-plperl-8.3.8-0.1mdvmes5.x86_64.rpm
d501f94d06dad161c8dba9f1794698d0 mes5/x86_64/postgresql8.3-plpgsql-8.3.8-0.1mdvmes5.x86_64.rpm
ce36a6e7624bb12c0144a1268d492ba9 mes5/x86_64/postgresql8.3-plpython-8.3.8-0.1mdvmes5.x86_64.rpm
6888902d0315b01a22fa72a351eb7e4f mes5/x86_64/postgresql8.3-pltcl-8.3.8-0.1mdvmes5.x86_64.rpm
227bc3f0d58acea037f68caef1bca403 mes5/x86_64/postgresql8.3-server-8.3.8-0.1mdvmes5.x86_64.rpm
8cb595899b3dc096d50767d7cc21ebeb mes5/SRPMS/postgresql8.3-8.3.8-0.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKw4E6mqjQ0CJFipgRApKzAKCOxuZ4KKkRhfbiHxUZtWwF876BgACg2nlk
7OK5CwX9f5YzWv6QZl+zh10=
=00ge
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists