lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1S2lUb-00057n-6D@titan.mandriva.com>
Date: Wed, 29 Feb 2012 16:31:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:026 ] postgresql

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:026
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : postgresql
 Date    : February 29, 2012
 Affected: 2010.1, 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 postgresql:
 
 Permissions on a function called by a trigger are not properly checked
 (CVE-2012-0866).
 
 SSL certificate name checks are truncated to 32 characters, allowing
 connection spoofing under some circumstances when using third party
 certificate authorities (CVE-2012-0867).
 
 Line breaks in object names can be exploited to execute arbitrary
 SQL when reloading a pg_dump file (CVE-2012-0868).
 
 This advisory provides the latest versions of PostgreSQL that is not
 vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868
 
 http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 05a4013a0634df4e8cdf169a50c9ec58  2010.1/i586/libecpg8.4_6-8.4.11-0.1mdv2010.2.i586.rpm
 401a0d6d8a713613bda5333ab2932e8e  2010.1/i586/libpq8.4_5-8.4.11-0.1mdv2010.2.i586.rpm
 325fc7f1e8d9753e77ea94cb36a7d702  2010.1/i586/postgresql8.4-8.4.11-0.1mdv2010.2.i586.rpm
 11f758553ba01d0c7cf14822b964d244  2010.1/i586/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.i586.rpm
 a8511d0f4e723eeb69e34338b2a44f6e  2010.1/i586/postgresql8.4-devel-8.4.11-0.1mdv2010.2.i586.rpm
 491480de895c21045ce61782b31686f4  2010.1/i586/postgresql8.4-docs-8.4.11-0.1mdv2010.2.i586.rpm
 43a92413b230b92fc8fe366f8b77b252  2010.1/i586/postgresql8.4-pl-8.4.11-0.1mdv2010.2.i586.rpm
 c68d94e1ccf0fc291a77976280c7a5b1  2010.1/i586/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.i586.rpm
 b176c3f91b3b3d0fd819db7aee7628a5  2010.1/i586/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.i586.rpm
 90b3f898d730ae27d8570f814c884361  2010.1/i586/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.i586.rpm
 fdb261871120d1099872528990ac4ecb  2010.1/i586/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.i586.rpm
 2bd80e158701b25d2f3191bd536a1680  2010.1/i586/postgresql8.4-server-8.4.11-0.1mdv2010.2.i586.rpm 
 a1c05f1b89438e41b8dad632395f6e76  2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 8d00eac057a75900287ff76011d24a14  2010.1/x86_64/lib64ecpg8.4_6-8.4.11-0.1mdv2010.2.x86_64.rpm
 63d87909037917014ace4068c2fdf4ed  2010.1/x86_64/lib64pq8.4_5-8.4.11-0.1mdv2010.2.x86_64.rpm
 b5e17b5ef713a8626034384f9b11f537  2010.1/x86_64/postgresql8.4-8.4.11-0.1mdv2010.2.x86_64.rpm
 377dc92be27f45e9a6205c6572a53a68  2010.1/x86_64/postgresql8.4-contrib-8.4.11-0.1mdv2010.2.x86_64.rpm
 4cc7fa9fb0f099b3f909f74810b3fcb6  2010.1/x86_64/postgresql8.4-devel-8.4.11-0.1mdv2010.2.x86_64.rpm
 cfdc1cb65acc9764caee7537aa54de0f  2010.1/x86_64/postgresql8.4-docs-8.4.11-0.1mdv2010.2.x86_64.rpm
 ee278d87463be450d3cb8359d4f436df  2010.1/x86_64/postgresql8.4-pl-8.4.11-0.1mdv2010.2.x86_64.rpm
 c6ab8ff58b96bcb93f36d95aaaebd042  2010.1/x86_64/postgresql8.4-plperl-8.4.11-0.1mdv2010.2.x86_64.rpm
 c203e3403876f4b2e6985686d59c2f51  2010.1/x86_64/postgresql8.4-plpgsql-8.4.11-0.1mdv2010.2.x86_64.rpm
 4ecfd5289218e1aa46786e698b0b1da1  2010.1/x86_64/postgresql8.4-plpython-8.4.11-0.1mdv2010.2.x86_64.rpm
 a0b4adfe98a1165eec3810d1a770d79d  2010.1/x86_64/postgresql8.4-pltcl-8.4.11-0.1mdv2010.2.x86_64.rpm
 6ebfada38479a846055c095604d3d45d  2010.1/x86_64/postgresql8.4-server-8.4.11-0.1mdv2010.2.x86_64.rpm 
 a1c05f1b89438e41b8dad632395f6e76  2010.1/SRPMS/postgresql8.4-8.4.11-0.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 25a1dd4d27d6bdc7289251ecb52f42d9  2011/i586/libecpg9.0_6-9.0.7-0.1-mdv2011.0.i586.rpm
 4da4a70b065506d61eb0b3fae7e9a564  2011/i586/libpq9.0_5-9.0.7-0.1-mdv2011.0.i586.rpm
 62aa0b5091ed185fbab1030acb7ba350  2011/i586/postgresql9.0-9.0.7-0.1-mdv2011.0.i586.rpm
 a0c7f18e7d3c5946431fd2244dad900c  2011/i586/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.i586.rpm
 858281c6438468c5c5ce9f3ed187ad35  2011/i586/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.i586.rpm
 5c5a07c75d046bf7a56561ec8f670916  2011/i586/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.i586.rpm
 99ed62f4866b74bb62372753568e1dca  2011/i586/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.i586.rpm
 2837096731c5b7f0d96e207190200b28  2011/i586/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.i586.rpm
 121eb7ed014abdc70b3a9483cc228f2b  2011/i586/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.i586.rpm
 c8a81e4d97a70bcea2673cae904c2d7d  2011/i586/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.i586.rpm
 1c350ae5ab7f3d5dabce891d297acda0  2011/i586/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.i586.rpm
 ac89dd8500774df0e49626e63741429c  2011/i586/postgresql9.0-server-9.0.7-0.1-mdv2011.0.i586.rpm 
 2723eb57e9056fb5e3f76e2519b4fec7  2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm

 Mandriva Linux 2011/X86_64:
 f6db63374053e409b305353151accd67  2011/x86_64/lib64ecpg9.0_6-9.0.7-0.1-mdv2011.0.x86_64.rpm
 96370fd95fc2c3bdbe3a9a6ae648db8b  2011/x86_64/lib64pq9.0_5-9.0.7-0.1-mdv2011.0.x86_64.rpm
 54380c9f81620f0a97733d1fa92667d5  2011/x86_64/postgresql9.0-9.0.7-0.1-mdv2011.0.x86_64.rpm
 6c6b399ade5b4afd6a2539c27a9a8af1  2011/x86_64/postgresql9.0-contrib-9.0.7-0.1-mdv2011.0.x86_64.rpm
 4eefae96bc5377d4032ddd61358f90b1  2011/x86_64/postgresql9.0-devel-9.0.7-0.1-mdv2011.0.x86_64.rpm
 baa973ebb01ff2fa9255ad434cd8e309  2011/x86_64/postgresql9.0-docs-9.0.7-0.1-mdv2011.0.x86_64.rpm
 5d3fcd9cf5f10032ffeb7278c9474b0f  2011/x86_64/postgresql9.0-pl-9.0.7-0.1-mdv2011.0.x86_64.rpm
 4d56f0d01bfb7c5b62928ea2c78a2391  2011/x86_64/postgresql9.0-plperl-9.0.7-0.1-mdv2011.0.x86_64.rpm
 2afb5526fb9eded60c8fca205de1d037  2011/x86_64/postgresql9.0-plpgsql-9.0.7-0.1-mdv2011.0.x86_64.rpm
 378f8a4c4f1a8ac291d05d8d00d94e65  2011/x86_64/postgresql9.0-plpython-9.0.7-0.1-mdv2011.0.x86_64.rpm
 e414f67368a7b600d491b753bde5a96a  2011/x86_64/postgresql9.0-pltcl-9.0.7-0.1-mdv2011.0.x86_64.rpm
 3480e6f3303c4bd2f275afe0017a454d  2011/x86_64/postgresql9.0-server-9.0.7-0.1-mdv2011.0.x86_64.rpm 
 2723eb57e9056fb5e3f76e2519b4fec7  2011/SRPMS/postgresql9.0-9.0.7-0.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPThgZmqjQ0CJFipgRAsbQAJ9gVWSHEr8OFkGbkxTWnLLCuK7HnwCgxnas
bW8T0eHla0+VDyo5ZcKe2Ck=
=5uc+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ